Malware Analysis Report

2025-08-10 17:39

Sample ID 230626-bp2hrage41
Target 4d0f16309f1dfe19ab558a13624df4aa.bin
SHA256 c1c129e0b967434b1ca76280cd7219b43f3633e0c9bf2f18088b8da298068616
Tags
amadey fabookie gcleaner glupteba smokeloader pub5 up3 backdoor discovery dropper evasion loader persistence rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c1c129e0b967434b1ca76280cd7219b43f3633e0c9bf2f18088b8da298068616

Threat Level: Known bad

The file 4d0f16309f1dfe19ab558a13624df4aa.bin was found to be: Known bad.

Malicious Activity Summary

amadey fabookie gcleaner glupteba smokeloader pub5 up3 backdoor discovery dropper evasion loader persistence rootkit spyware stealer trojan upx

GCleaner

Fabookie

SmokeLoader

Windows security bypass

Detect Fabookie payload

Glupteba payload

Glupteba

Amadey

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Checks computer location settings

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks installed software on the system

Manipulates WinMonFS driver.

Manipulates WinMon driver.

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Kills process with taskkill

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 01:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-26 01:19

Reported

2023-06-26 01:22

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

GCleaner

loader gcleaner

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\newplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 680 set thread context of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3772 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe
PID 3772 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe
PID 3772 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe
PID 3772 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe
PID 3772 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe
PID 3772 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\newplayer.exe
PID 3772 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\newplayer.exe
PID 3772 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\newplayer.exe
PID 2800 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2800 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2800 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 228 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 228 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 228 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 228 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 3140 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 2008 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 4708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 832 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2572 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2572 wrote to memory of 732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4092 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4092 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4092 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4092 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\SYSTEM32\taskkill.exe
PID 228 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 228 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 228 wrote to memory of 5064 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 228 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 228 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 228 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 680 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 680 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 680 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 680 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 680 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 680 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 228 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe
PID 228 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe
PID 228 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe
PID 5020 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5020 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 5064 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 4688 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4688 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4688 wrote to memory of 1284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 4456 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe

"C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe"

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe

"C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe"

C:\Users\Admin\AppData\Local\Temp\newplayer.exe

"C:\Users\Admin\AppData\Local\Temp\newplayer.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\SYSTEM32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5064 -ip 5064

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 620

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5064 -ip 5064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 1420

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 47.125.24.20.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 56.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 aapu.at udp
KR 183.100.39.157:80 aapu.at tcp
KR 183.100.39.157:80 aapu.at tcp
US 8.8.8.8:53 157.39.100.183.in-addr.arpa udp
KR 183.100.39.157:80 aapu.at tcp
KR 183.100.39.157:80 aapu.at tcp
KR 183.100.39.157:80 aapu.at tcp
KR 183.100.39.157:80 aapu.at tcp
KR 183.100.39.157:80 aapu.at tcp
KR 183.100.39.157:80 aapu.at tcp
US 20.189.173.9:443 tcp
US 8.8.8.8:53 fde7f5ec-e06d-4985-87f9-7f7d9eb6818b.uuid.duniadekho.bar udp
KR 183.100.39.157:80 aapu.at tcp
KR 183.100.39.157:80 aapu.at tcp
GB 96.16.110.41:443 tcp
KR 183.100.39.157:80 aapu.at tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 server14.duniadekho.bar udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.50:443 server14.duniadekho.bar tcp
US 8.8.8.8:53 luckytradeone.com udp
US 172.67.181.198:443 luckytradeone.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 198.181.67.172.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp

Files

memory/3772-133-0x00000000003A0000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 ea11d0630e80d6352a12d2f6038e10cf
SHA1 68ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA256 2b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512 b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 ea11d0630e80d6352a12d2f6038e10cf
SHA1 68ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA256 2b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512 b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 ea11d0630e80d6352a12d2f6038e10cf
SHA1 68ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA256 2b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512 b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b

C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe

MD5 40fd2785bdb43b73b9491616330ac1c4
SHA1 9951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256 214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512 240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a

C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe

MD5 40fd2785bdb43b73b9491616330ac1c4
SHA1 9951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256 214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512 240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a

C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe

MD5 40fd2785bdb43b73b9491616330ac1c4
SHA1 9951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256 214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512 240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a

C:\Users\Admin\AppData\Local\Temp\newplayer.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\newplayer.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\newplayer.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

memory/3924-170-0x0000000001DA0000-0x0000000001DA9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

memory/5064-192-0x0000000000500000-0x0000000000526000-memory.dmp

memory/4092-193-0x0000000002E70000-0x0000000002FE0000-memory.dmp

memory/4092-194-0x0000000002FE0000-0x0000000003111000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/5064-213-0x0000000000550000-0x0000000000590000-memory.dmp

memory/3332-215-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/3332-217-0x0000000000400000-0x0000000000409000-memory.dmp

memory/680-218-0x0000000001DB0000-0x0000000001DB9000-memory.dmp

memory/3168-219-0x0000000000C30000-0x0000000000C46000-memory.dmp

memory/3924-220-0x0000000000400000-0x0000000001B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/5020-239-0x0000000002AC0000-0x0000000002EB8000-memory.dmp

memory/5020-240-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/3860-241-0x0000000002520000-0x0000000002556000-memory.dmp

memory/3860-242-0x0000000004C30000-0x0000000005258000-memory.dmp

memory/3860-243-0x0000000004B00000-0x0000000004B22000-memory.dmp

memory/3860-244-0x00000000053D0000-0x0000000005436000-memory.dmp

memory/3860-245-0x00000000054B0000-0x0000000005516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p3ywsobn.kgy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3860-255-0x00000000024D0000-0x00000000024E0000-memory.dmp

memory/3860-256-0x00000000024D0000-0x00000000024E0000-memory.dmp

memory/3860-257-0x0000000005AE0000-0x0000000005AFE000-memory.dmp

memory/3860-258-0x0000000006030000-0x0000000006074000-memory.dmp

memory/3860-260-0x0000000006DF0000-0x0000000006E66000-memory.dmp

memory/5064-261-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/3860-262-0x00000000074F0000-0x0000000007B6A000-memory.dmp

memory/3860-263-0x0000000006E90000-0x0000000006EAA000-memory.dmp

memory/3860-264-0x00000000024D0000-0x00000000024E0000-memory.dmp

memory/3860-265-0x0000000007050000-0x0000000007082000-memory.dmp

memory/3860-266-0x000000006E880000-0x000000006E8CC000-memory.dmp

memory/3860-267-0x000000007F870000-0x000000007F880000-memory.dmp

memory/3860-268-0x000000006E8D0000-0x000000006EC24000-memory.dmp

memory/3860-278-0x0000000007030000-0x000000000704E000-memory.dmp

memory/3860-279-0x0000000007180000-0x000000000718A000-memory.dmp

memory/3860-280-0x0000000007240000-0x00000000072D6000-memory.dmp

memory/4092-282-0x0000000002FE0000-0x0000000003111000-memory.dmp

memory/3860-283-0x00000000071E0000-0x00000000071EE000-memory.dmp

memory/3860-284-0x00000000072E0000-0x00000000072FA000-memory.dmp

memory/3860-285-0x0000000007220000-0x0000000007228000-memory.dmp

memory/5020-286-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1576-300-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1576-301-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1576-302-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/1576-303-0x0000000072C00000-0x0000000072C4C000-memory.dmp

memory/1576-304-0x0000000072840000-0x0000000072B94000-memory.dmp

memory/1576-314-0x000000007F230000-0x000000007F240000-memory.dmp

memory/5020-321-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 43b47de9537891dbec5753897f00ef88
SHA1 e48f02616132655fe46f1d848930cedfa1f60181
SHA256 6716dae122c3df873a744fa9a88cb74459a13d08dcd3ddf649408491441676ee
SHA512 24295c9ba1ebe3d443dea5f2b0c9978d3c13621d694b6d5037c7f66c70df631e9e721e4ae303cece3236d101a7be26fc688aefa6d16da296fac8a3e4162dd6ba

memory/4456-333-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1960-334-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/1960-335-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/1960-336-0x0000000072C00000-0x0000000072C4C000-memory.dmp

memory/1960-337-0x0000000072840000-0x0000000072B94000-memory.dmp

memory/1960-347-0x0000000000EC0000-0x0000000000ED0000-memory.dmp

memory/1960-348-0x000000007EED0000-0x000000007EEE0000-memory.dmp

memory/5016-350-0x0000000003040000-0x0000000003050000-memory.dmp

memory/5016-351-0x0000000003040000-0x0000000003050000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 31d2760daf27576a51f02e60735363c5
SHA1 d2a6229de32df8175b09e8867df7933fa824d946
SHA256 7371acbfc79ee0dad8df1eb99cf2b88a01fe680e621e354140f29099b907393c
SHA512 480e779d7a91076cc5327606c13471a5e00d86fc65acfd592dc9fada22d56b80bbf63cb89819c56108d3cf3e15c34e883c0e6647a3d729a945dd400c99c5849f

memory/5016-362-0x0000000003040000-0x0000000003050000-memory.dmp

memory/5016-363-0x0000000072C00000-0x0000000072C4C000-memory.dmp

memory/5016-364-0x0000000072840000-0x0000000072B94000-memory.dmp

memory/5016-374-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/4456-379-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/3320-383-0x0000000003300000-0x0000000003BEB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4dec0ffc5294db78202b45d78bc43470
SHA1 dc78d2ebde754b5b4c599e0050ce08e592330898
SHA256 23ab6262fe78365463c16f4bff006faaa54713f9593de84b9f26a8f83f0f4fef
SHA512 4168568b027839d560736e61f9a18f906a008c9e8c7912c339735fe9af5be83bd8b4165716c65ec20f792bd644e5c806628e76d224052fb2e6b14d82a4f57c75

memory/3680-395-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/3680-396-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/3680-397-0x0000000072C00000-0x0000000072C4C000-memory.dmp

memory/3680-398-0x0000000072840000-0x0000000072B94000-memory.dmp

memory/3680-408-0x0000000002CA0000-0x0000000002CB0000-memory.dmp

memory/3680-409-0x000000007FDA0000-0x000000007FDB0000-memory.dmp

memory/2068-416-0x0000000005050000-0x0000000005060000-memory.dmp

memory/2068-417-0x0000000005050000-0x0000000005060000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 31d9f6fb72794d9805f5811e64e2f625
SHA1 6173665f6fd8796c990cad121ac53ca591a2f212
SHA256 0070d6ca3f981db950e944068881f0a13220f0df4e388ca98ce436b10a9e0b27
SHA512 045efc6f82cb4b6cd72b785f2c3655b8f4a645ad21f81e9cae32ab1fe4ddf679e11459c718819245c5c7ab13351e90b63d7fc1cdb00b16a915b8877e4aecff4b

memory/2068-423-0x0000000072D10000-0x0000000072D5C000-memory.dmp

memory/2068-425-0x0000000072840000-0x0000000072B94000-memory.dmp

memory/2068-426-0x000000007F320000-0x000000007F330000-memory.dmp

memory/2068-424-0x0000000005050000-0x0000000005060000-memory.dmp

memory/3320-447-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4088-450-0x00000000031C0000-0x00000000031D0000-memory.dmp

memory/4088-449-0x00000000031C0000-0x00000000031D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1c62276c827a1fac605d437883152d0c
SHA1 068eb32e9e99d9c8a6053dca1fa73f9a6123e2a7
SHA256 4e278c5f4fb61644efcd4f7acc2e637b20ceaeb55011743d2e99e2a2eca54ee9
SHA512 e4b8a2cbf9c3e21102de85c543fc297924d878eff8a500746914f12ce6f1d25a40df195258f5f9a43d38111a3170b4a1322fa190a8fd66ab165ee54f84c82709

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3320-472-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/676-481-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3320-483-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3320-488-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3320-491-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2524-493-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3320-494-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/3320-497-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

memory/2524-506-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3320-507-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

memory/4776-510-0x0000000000400000-0x0000000000C25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

MD5 09031a062610d77d685c9934318b4170
SHA1 880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256 778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA512 9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

memory/4776-512-0x0000000000400000-0x0000000000C25000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 01:19

Reported

2023-06-26 01:22

Platform

win7-20230621-en

Max time kernel

145s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe"

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

GCleaner

loader gcleaner

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 432 set thread context of 980 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20230626012021.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-384 = "Namibia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe
PID 1508 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe
PID 1508 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe
PID 1508 wrote to memory of 272 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ss41.exe
PID 1508 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe
PID 1508 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe
PID 1508 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe
PID 1508 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe
PID 1508 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\newplayer.exe
PID 1508 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\newplayer.exe
PID 1508 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\newplayer.exe
PID 1508 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe C:\Users\Admin\AppData\Local\Temp\newplayer.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 972 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\newplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1752 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1752 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1168 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1736 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1876 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 1128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2020 wrote to memory of 520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 272 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\system32\taskkill.exe
PID 272 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\system32\taskkill.exe
PID 272 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\system32\taskkill.exe
PID 272 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\system32\taskkill.exe
PID 272 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\system32\taskkill.exe
PID 272 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\ss41.exe C:\Windows\system32\taskkill.exe
PID 1752 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 1752 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 1752 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 1752 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 1752 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 1752 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 1752 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe
PID 1752 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 1752 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe
PID 1752 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe

"C:\Users\Admin\AppData\Local\Temp\8d8ae453a5773f10fddff520a45326b3d665f79e707898fa0e09b28084bfb1f9.exe"

C:\Users\Admin\AppData\Local\Temp\ss41.exe

"C:\Users\Admin\AppData\Local\Temp\ss41.exe"

C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe

"C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe"

C:\Users\Admin\AppData\Local\Temp\newplayer.exe

"C:\Users\Admin\AppData\Local\Temp\newplayer.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230626012021.log C:\Windows\Logs\CBS\CbsPersist_20230626012021.cab

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {F1093B00-8987-456D-96D7-FBD9D696C0F6} S-1-5-21-3419557010-3639509551-242374962-1000:IULNABEW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 07480cc1-d6d3-48ed-99ae-ecb25bec3945.uuid.duniadekho.bar udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 server5.duniadekho.bar udp
BG 185.82.216.50:443 server5.duniadekho.bar tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 luckytradeone.com udp
US 172.67.181.198:443 luckytradeone.com tcp
IN 172.253.121.127:19302 stun1.l.google.com udp

Files

memory/1508-54-0x0000000000EB0000-0x0000000000F98000-memory.dmp

\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 ea11d0630e80d6352a12d2f6038e10cf
SHA1 68ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA256 2b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512 b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b

C:\Users\Admin\AppData\Local\Temp\ss41.exe

MD5 ea11d0630e80d6352a12d2f6038e10cf
SHA1 68ebbf2da9c694c1dfc5fbcf424001073fb8ab6b
SHA256 2b21d02167f4e5bb4754d83bf9d69bcbd09b5a1507ab8045eaefb1980ecb989f
SHA512 b93314fc9395181c2fa46eeb3ff212ad71ce8d536cc8519d0faba2f25699394fa49d29bd9d29ac1b4b794df686d040828c1ef96d3871446f1cb797357ab9580b

\Users\Admin\AppData\Local\Temp\ec193bd8.exe

MD5 40fd2785bdb43b73b9491616330ac1c4
SHA1 9951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256 214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512 240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a

\Users\Admin\AppData\Local\Temp\ec193bd8.exe

MD5 40fd2785bdb43b73b9491616330ac1c4
SHA1 9951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256 214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512 240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a

C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe

MD5 40fd2785bdb43b73b9491616330ac1c4
SHA1 9951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256 214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512 240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a

C:\Users\Admin\AppData\Local\Temp\ec193bd8.exe

MD5 40fd2785bdb43b73b9491616330ac1c4
SHA1 9951b356ff37de2a8be3023dd7dd45a157a05d06
SHA256 214a0f4e1d3cf5f0f8cae11cd564d4bf51322e1b288f5f1ba7f7475d925e246d
SHA512 240a87b35c032fdf4dc3d05d3c372bc78613e1d8f6a31ad28b7fa9c317ea11fa01edb5dc960bae08d4129bb6ab8a49d9f8f7e82e8af1e71ad4701ffa2efd0d3a

\Users\Admin\AppData\Local\Temp\newplayer.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\newplayer.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\newplayer.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

memory/524-86-0x0000000000220000-0x0000000000229000-memory.dmp

memory/1252-87-0x0000000002640000-0x0000000002656000-memory.dmp

memory/524-88-0x0000000000400000-0x0000000001B46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

memory/272-102-0x00000000029F0000-0x0000000002B60000-memory.dmp

memory/272-103-0x0000000002B60000-0x0000000002C91000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000200001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

memory/600-113-0x0000000000820000-0x0000000000846000-memory.dmp

memory/600-116-0x0000000000850000-0x0000000000890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/980-137-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000201001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/980-138-0x0000000000400000-0x0000000000409000-memory.dmp

memory/432-140-0x00000000001B0000-0x00000000001B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/980-150-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/600-161-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/1604-160-0x0000000002670000-0x0000000002A68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1604-163-0x0000000002A70000-0x000000000335B000-memory.dmp

memory/1252-164-0x0000000002B60000-0x0000000002B76000-memory.dmp

memory/980-165-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1604-170-0x0000000000400000-0x0000000000D1B000-memory.dmp

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1164-180-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/272-218-0x0000000002B60000-0x0000000002C91000-memory.dmp

memory/696-219-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1384-237-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/1384-267-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1044-271-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1384-274-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/520-275-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1044-276-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

memory/1384-278-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/520-279-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1384-280-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1384-282-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1384-284-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/520-285-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1384-286-0x0000000000400000-0x0000000000D1B000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

memory/1384-297-0x000000002DAB0000-0x000000002E2D5000-memory.dmp

memory/1384-298-0x000000002DAB0000-0x000000002E2D5000-memory.dmp

memory/868-299-0x0000000000400000-0x0000000000C25000-memory.dmp

memory/1384-300-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/520-302-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1384-303-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 f0033521f40c06dec473854c7d98fa8b
SHA1 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a
SHA256 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e
SHA512 f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217

C:\Windows\System32\drivers\Winmon.sys

MD5 69989105f151015c16a2f422f5722590
SHA1 3fd92c0224de69048fd8f7d06be85709f25d6573
SHA256 b1c321b5e495473a401bd6e6adfe1ec931f8247b1b2646b0e259bff011a0958c
SHA512 f74b8086c083fc90117248ef39a1a64467258740e358aaa6454f24b88af169d27290d0c0a46210746734f975eef320ba2e138b43cdba8c2329c23f140d0c1e71

memory/868-306-0x0000000000400000-0x0000000000C25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

MD5 09031a062610d77d685c9934318b4170
SHA1 880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256 778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA512 9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/868-310-0x0000000000400000-0x0000000000C25000-memory.dmp