Malware Analysis Report

2024-11-30 04:48

Sample ID 240222-cbs5wsac2s
Target 719ae8aa9f8837f9ec5488eade1345b4.bin
SHA256 44609cf8db83d428a35637ca3e4d2d0df12f1e10480742daa0675b0513116993
Tags
dcrat djvu glupteba smokeloader vidar 7f6c51bbce50f99b5a632c204a5ec558 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan upx lumma redline logsdiller cloud (telegram: @logsdillabot)
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44609cf8db83d428a35637ca3e4d2d0df12f1e10480742daa0675b0513116993

Threat Level: Known bad

The file 719ae8aa9f8837f9ec5488eade1345b4.bin was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar 7f6c51bbce50f99b5a632c204a5ec558 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan upx lumma redline logsdiller cloud (telegram: @logsdillabot)

RedLine payload

SmokeLoader

Lumma Stealer

DcRat

Detected Djvu ransomware

RedLine

Detect Vidar Stealer

Windows security bypass

Glupteba payload

Djvu Ransomware

Glupteba

Vidar

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Modifies Windows Firewall

UPX packed file

Deletes itself

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Modifies file permissions

Manipulates WinMonFS driver.

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Manipulates WinMon driver.

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 01:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 01:54

Reported

2024-02-22 01:57

Platform

win7-20240221-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8583777e-7500-4b73-b450-007b2ee298c7\\9F0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9F0.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9272.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9272.exe = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\8583777e-7500-4b73-b450-007b2ee298c7\\9F0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9F0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9272.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240222015541.cab C:\Windows\system32\bcdedit.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9272.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9272.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1208 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1208 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1208 wrote to memory of 2604 N/A N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2604 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2700 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Windows\SysWOW64\icacls.exe
PID 2700 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Windows\SysWOW64\icacls.exe
PID 2700 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Windows\SysWOW64\icacls.exe
PID 2700 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Windows\SysWOW64\icacls.exe
PID 2700 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2700 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2700 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2700 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 1704 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\Temp\9F0.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 2552 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 1636 wrote to memory of 1320 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe
PID 2552 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe
PID 2552 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe
PID 2552 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe
PID 2552 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\9F0.exe C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\4828.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\4828.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\4828.exe
PID 1208 wrote to memory of 2892 N/A N/A C:\Users\Admin\AppData\Local\Temp\4828.exe
PID 1320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1320 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1208 wrote to memory of 2640 N/A N/A C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2640 N/A N/A C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2640 N/A N/A C:\Windows\system32\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\9F0.exe

C:\Users\Admin\AppData\Local\Temp\9F0.exe

C:\Users\Admin\AppData\Local\Temp\9F0.exe

C:\Users\Admin\AppData\Local\Temp\9F0.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\8583777e-7500-4b73-b450-007b2ee298c7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9F0.exe

"C:\Users\Admin\AppData\Local\Temp\9F0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9F0.exe

"C:\Users\Admin\AppData\Local\Temp\9F0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe

"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe"

C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe

"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe"

C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe

"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe"

C:\Users\Admin\AppData\Local\Temp\4828.exe

C:\Users\Admin\AppData\Local\Temp\4828.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1320 -s 1472

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5276.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe

"C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\853A.exe

C:\Users\Admin\AppData\Local\Temp\853A.exe

C:\Users\Admin\AppData\Local\Temp\9272.exe

C:\Users\Admin\AppData\Local\Temp\9272.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222015541.log C:\Windows\Logs\CBS\CbsPersist_20240222015541.cab

C:\Users\Admin\AppData\Local\Temp\9272.exe

"C:\Users\Admin\AppData\Local\Temp\9272.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {B584DB60-14C3-4C7E-9180-7C62F1EB7873} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.111:80 brusuax.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 bmtech-electronic.fr udp
FR 185.135.132.104:443 bmtech-electronic.fr tcp
KR 211.119.84.111:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
FR 185.135.132.104:443 bmtech-electronic.fr tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
AR 186.182.55.44:80 habrafa.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
AR 186.182.55.44:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 notmalware.top udp
RU 5.188.88.181:80 notmalware.top tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 104.21.51.193:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
NL 45.134.254.172:80 tcp
US 8.8.8.8:53 86b29171-d157-4993-97ab-2593e29ed039.uuid.statstraffic.org udp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 server3.statstraffic.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server3.statstraffic.org tcp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 172.67.212.188:443 walkinglate.com tcp
BG 185.82.216.104:443 server3.statstraffic.org tcp

Files

memory/2764-1-0x00000000009B0000-0x0000000000AB0000-memory.dmp

memory/2764-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2764-3-0x0000000000400000-0x0000000000817000-memory.dmp

memory/1208-4-0x0000000001C70000-0x0000000001C86000-memory.dmp

memory/2764-5-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F0.exe

MD5 9d9114ab84aa79f8a22356d35ce7fd66
SHA1 80ace18221477538d8219bd0495e79875c334fa7
SHA256 05cff8cebc34d942d16d5fe3eae68ceb3420e96264819f8dd3fd6bb28028e514
SHA512 ba12481c78ab484781fb3466f28140f653230fa8b947a3afe4327621195de259258587c143f4e79a2dc5658439216b9fa11b337ec4c7794d910ce1262c915968

memory/2604-17-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2604-21-0x0000000004740000-0x000000000485B000-memory.dmp

memory/2700-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2700-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2604-18-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2700-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2700-28-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\9F0.exe

MD5 38bebd5772e1cf372d2da3ab672e0d89
SHA1 b0f36508354964d8c4c3e3cb7cf5c7e53c5604d2
SHA256 03cb6b801a97cdc43ba4ac0b02ba2d6ad84e4bc07f9591f06c1290bec3357ed3
SHA512 a17ec01903f64c5841b95d84a89db4ce01842fb8d7fd3dccd5edc07a3ba765a4a3d3532ed25ae3a17a0cbe4d1d82921858426026486fc94ca55f41525edd823f

memory/2700-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1704-53-0x0000000002DC0000-0x0000000002E52000-memory.dmp

memory/1704-54-0x0000000002DC0000-0x0000000002E52000-memory.dmp

memory/2552-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-62-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 02a572a444f6aea574f70847b4b261ac
SHA1 64f339990b4b45efa6cc1ee7943b4be43e2c6112
SHA256 2e3d6df847c8f6206b8430b8eae66344b087bda1c53003e3fe0ba6cb42c8716b
SHA512 503e72a4dcb10c70120cc6675478f6d4f378252dcb91e24375a34bf2551163c9f82af160683cb5b5b3f84d221ee0e8f8319907a283d12056b5658b6f140bfa6b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4e05cac40082c891a11196d21c7d0ee3
SHA1 b2bcd705ceda4859fdc71beb26ce6c3bbecff435
SHA256 81069225d47a075dab4b20ebeece57c86966532866d1904eb04e0033362c2fc0
SHA512 7e4b770e87c264d624cda7b10f6202a003221dd3805bb72568e95e37876cb4f1c3a40e0a003d3971990734ff074690128257d34671afc1ac2a4d319a0a54af95

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\Local\Temp\Cab1B1F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 7dc6a32b54522e9cdea942ab36b3c46f
SHA1 0a98eb4a14489810ebd616ea2657a6802be26c4f
SHA256 d4f60fa83eb77a23b13ad37587b494462f91ad8988066b4e5beae887c2e78287
SHA512 382c9e35786ac99bfd068d119c32d9bb6236f77e092e7f6dfef25bdd742c373dcd1d1f75dc1c04b4c2629731d58403cdfcf4c321b28e54d9be9179bfe0feeeb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d59bf18e04eb0da9f0dbd3079eb92b8a
SHA1 7c66b5040018fdd07ac6018c38e5852a15a6e4ef
SHA256 02ebe8851ff0624357b42b43dc5684fca0db014d817f01cfc8df4b344dc25b32
SHA512 f5151651e9d61d4402318f5e6e850957f94726eee42a67dd6c8979720d44f00363de40c67a13b3101b9fa93188c27e1c00a21b9b316e024046543e44e51c15ee

memory/2552-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-85-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2552-89-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe

MD5 c106cfb56d4014fa1e6e292d18f51129
SHA1 f349a08ef573fa979e6ff001e02bca312e5c03cb
SHA256 f89e84ce11b8f8329d0a7baa9dbe89fbee3df8c6ae6a9a9d1278de652e9e5c7e
SHA512 ba2246ea7feccb771399c6b56116b11611b19fd46015f0648b37b7b5fd62d93d3f343d79d56b358ddcf815c8f95528e93dacbfb40c57f6c47ff69591f3bad3d1

C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe

MD5 c6d3d647baad8a5b93b81d2487f4f072
SHA1 e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA256 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA512 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

C:\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build2.exe

MD5 2e24c4f0771a259cf609ac5fa6e4d8bd
SHA1 ee1b06f8faf2f5bca6b2166f76ef39f92066448c
SHA256 27954e80a69e65e6cfecce638da361297c754675e01d55ecd5ead3c18feecb79
SHA512 5eb5f5be8705a1c4f663c0f68556aca187ca121109f6c39a9b412be5724f0c4d7bfff7f3160c485cd0be362514fc7e94871741bb96c34529499b2c3948ee52e8

memory/1320-100-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1636-101-0x00000000002C0000-0x00000000003C0000-memory.dmp

memory/1320-104-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1636-103-0x00000000001C0000-0x00000000001F6000-memory.dmp

memory/1320-107-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1320-108-0x0000000000400000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar3757.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 870d42b688d18b63fb52bc6cff68b762
SHA1 a4d91178d2cb148e393a9affcc540fabcb0803f1
SHA256 dbfd9cc4bcbc0da3d193de0c53076db3b2205d824113ae3caa3ea7b33b3fd2a6
SHA512 24dfc60c87d636432fddc6b3ede2f8d8cb753b9138c78345aac589b0e882c80dc2dc257d99e7bedcb0eab781f307fc04b199566639f2f626b1a678d9e719dcbc

\Users\Admin\AppData\Local\e90188ef-4e19-491f-830d-aed29525564b\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2552-198-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4828.exe

MD5 2970507fe29e4a666b075521ef8d664e
SHA1 711434ed76c0a8319f43a34daf9b43a7d150a5d3
SHA256 32f356c8c15a6bd52c739049b36a80f1afae3d5df9bd197d1781873103ed462a
SHA512 ff7ca3f758e62ae872da1feaecd41cfb0ce6fbabe7173d5bb7f2784683a35e98bde215b1b0732328915b078f255167177cd20225064245d996f1fe5cabac2e19

memory/2892-241-0x00000000011A0000-0x0000000001C77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5276.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2284-259-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1320-261-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2284-257-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/2120-263-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2120-266-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2120-267-0x0000000000400000-0x0000000000406000-memory.dmp

\Users\Admin\AppData\Local\Temp\853A.exe

MD5 b2b4879290de8e43ccbcd92b507de1cd
SHA1 de32697442f04035415d6c89d3398f778ed50bf2
SHA256 3800084470a4fde43467a91cba0e08399f7bdf70b0f03af2f99c282b18f1aa49
SHA512 179ffc5976e0a9a033816863cbb71ca0b8bc513e3f93a0da9773da1b7b5f3109d1442623f13482dd2a5632694262d5497e10c434149eb267ed028318c45a0bf1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 52f53906957f2b289f14dc21b4d2e5ab
SHA1 f3ebf2e3b931e313d01e8cb4d3de096cfeefcdae
SHA256 11d7208a3d730e4d859f81284d2fb3b50368f167fb1f2a10387b0944a2891611
SHA512 b3e3d5b992ae4d3cc01e0ff77dac6d637dd334eefcebe75ae48c69ecb2c50fd90e8db91d694ae0a2790f03dbf348eff206b1c08ea2761963a603c132c5b9e07b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e389ff719d4f3fadd40ade0281d07262
SHA1 979c767d32da9fbc71e141585ea9a01a3b4cd609
SHA256 aa4cc57c8ff98f4c5f9d53bdc52e2b38fd4105c70d13062ba656f74ce0b999bc
SHA512 d20b95bef0594330c467329ed5324c4359e5819f9b9b4974d3cd2fc047722f16767f677e166dd79d14619bb1f33abde191bf88f2e20771ea91323cd1cf49b1be

C:\Users\Admin\AppData\Local\Temp\9272.exe

MD5 4245b8cbf6c03a2c84154ca2cf1307d8
SHA1 f5da20335f9e85c3d532b7a8c8cd629e73c6ee48
SHA256 ddcb18c6d0aaf1ae1b0bfebbc7921834b54efd2d9833b9392b21fccb903a3032
SHA512 9b4904464570607a2651af11bd29ef1740007a83ebb5566c31984ffd7ee1cd62e4a1c3d036da3e520034edd2e30ce07e48387b61ae4c2291fd3d1d79c9e5ccc0

memory/596-348-0x0000000004960000-0x0000000004D58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9272.exe

MD5 0d6a426119a1622fe87f00c1a0e1c1a4
SHA1 2f8ff1764b2cad5b00385849e47f70675034e675
SHA256 ee3eebd9f86353bfcb7bfc1af0b572ea76a0f39d846f9706d227fd3f1f390f13
SHA512 26fd7b7253cd6c86905dfdb838efc4582455827dfbe938388a851d4c7dceb5607e507eaeacb992a79ae6834263f3804201185af54f827f7eeee7762aa0d6e366

memory/596-350-0x0000000004960000-0x0000000004D58000-memory.dmp

memory/596-351-0x0000000004D60000-0x000000000564B000-memory.dmp

memory/596-352-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9272.exe

MD5 6757766a3537ae6d29bb650d7e3447f8
SHA1 de51427bcd1961d24bcbd21fbda749b1b04bf5ff
SHA256 4e90ee8363bd7400cce1d6b4bd91a4dfb83d61bba7801e7ef2fc496d2bea3212
SHA512 84dce5a061e00cc0915482a191f5241e8931d648e0d82eb1ef80a0225f967675a7bbab6f8ddcce710696b935910092d41e96a5ec60b288d0437c371cdcfb88ab

C:\Users\Admin\AppData\Local\Temp\9272.exe

MD5 dd253f5071b1111fdd6dec42b12fe8e4
SHA1 9b28d2d0934f2f98bae2f46cca79341ea9067ad3
SHA256 b51034919b413fa9910f036781a2b730d736699b09fb5399706e5d26e4247757
SHA512 fba54ffb72e0788e26340aad044ab5af6f1b24eb91786a2fb4f785fbff0330f6ff12dfef296ab5d38efb19565e49e573c5e5fca6d90e5fea5db326c664656a7e

memory/1564-357-0x0000000004BA0000-0x0000000004F98000-memory.dmp

memory/596-356-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1564-358-0x0000000004BA0000-0x0000000004F98000-memory.dmp

memory/1564-359-0x0000000004FA0000-0x000000000588B000-memory.dmp

memory/596-360-0x0000000004960000-0x0000000004D58000-memory.dmp

memory/596-361-0x0000000004D60000-0x000000000564B000-memory.dmp

memory/1564-362-0x0000000000400000-0x0000000003118000-memory.dmp

\Windows\rss\csrss.exe

MD5 c57887b8f74ac002a62eb9d3785a6f64
SHA1 4444d42680383f7534b0139152ff53876cd2511c
SHA256 a8211dfd3f19eed59554572195112589a14e1b86db4e38be2f7ff53e620622ee
SHA512 5b03553338cba1f6af142919233c116c4727f9ed6b0e4ddca854657dd9cd4647735ea03804862232481645f1060e0ffbc98094ec2757c3fda33e1d7e96fcfb05

\Windows\rss\csrss.exe

MD5 8e49ca69fdeb66cf3a0767ce691ee11a
SHA1 ec145f48927454e46d488270c243e3c1f238023b
SHA256 5b7f60d350e3371497ebf98068735f43db8f89020426ba134908cb2f683f9f29
SHA512 eecf6ad85608cadb1f818cc4215e696e0a7a5188180ae79a252273bc865b1a63a7f6317c45a7485669e284d52469cc5684127e1aade72f1cc75ea3f8063a56f7

C:\Windows\rss\csrss.exe

MD5 1b6ce5438f7c424a45425ab1865b5cfb
SHA1 617f901b6a338259c88b7e489a04db6f3a19d6bb
SHA256 f13102e1ee3b7ecc118b2c4eef088f64891ede52227656065e92ec824ee01530
SHA512 f0e10fd15c78f9b040d939e69e0cea051c20ec7e51c7da5867f36014ffcb9f2a0ce0e0b9e5706f174dcc16530b62a2a1d1c172ae77a829f7e5b867f15447d852

memory/1200-373-0x0000000004DA0000-0x0000000005198000-memory.dmp

memory/1564-372-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1564-377-0x0000000004BA0000-0x0000000004F98000-memory.dmp

memory/1200-376-0x0000000004DA0000-0x0000000005198000-memory.dmp

memory/1200-378-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f40cc995d0db3713af2fd558e9b22d72
SHA1 51995c2c0677e07776477ed49afeebca1c0f9276
SHA256 ab6ee9f7d0ca2740a3a147c9d4ed168243a3d8be677764f2f04dd6413e90b4bc
SHA512 18f73c9e747c1836900aba6e713fbe965756410710103c4a0075d9ce60d60bd9ddf30a6c2e2ec5e21367edcd56de64131fa14c453adafb13376b5ff80edfc31e

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 e33401b93442ca977d59e5da219a6aaf
SHA1 33681c24e68e86fa5bb35a7b76b7a832780def1b
SHA256 a0ca2816632b39247e91f4b5b3f1c47848aa0feee756a1e0fffc72b1360c6251
SHA512 30467f815aafba392be2319946e1b38a7f8d0057b770e28e49622c5e4db90a508186a0087ef09e1968075500f71eef80b69f556790c656c0c5a1cfd6aff80b3e

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 9e36385b29db63b590571c7510c85f79
SHA1 daee8501506c0661df7f6dedb91a2d17b2b6f75b
SHA256 c0906a4c2b8a2348d0b299679bab43140c5afa69fe6f2f83be889489695c8cd9
SHA512 46a380abf356a432737f6a777e8a09de285827bd9c1c10d50a8d425f29e1db3e112e4d06533d6a60f4d4416cbca00fe693b94bccfacb54b1ad39df9c8906d8de

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 e3524370dc3f0849761673f48ea826d9
SHA1 25edb10d4fefa0b1418e15d8373365380cf07fa3
SHA256 93834706244fdba144ca5e2dc0c4665c926d32229dc25d6307c15757e22b8604
SHA512 49424383e886032be994a20031a596600568df62e67718b509598c9922751cbcd0ea378b1a51b4a72ddb678d625f3b5f1ace7e8113a0c02a97c3743fa684cfc6

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 7d8ccccabd6f818dd32640a50e0910b9
SHA1 c95f1dee720251779a5f06cafb2ada857dfd256d
SHA256 43c076f070054cc1500395dfe772a060cc4bb719b7c98ad83779ad14b88d3685
SHA512 2286de76a3ac1f34e9069fec58596257d9e0c128ed18709bc1d27a25ad76609502098913d5e40f97435cfef90136c105e86289f0ad918d1aeb01abbeb11adb51

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 489adf3aa6b215226925cfb5dd492672
SHA1 51b9121c6beed6fb22a4819c4254ededf22e1ce2
SHA256 1e214c62074a2dd4b70d9b14092ea211a3d79e55d361b78b2cfbfae70713b6cd
SHA512 7a62e0766aef7e8268581529a8aaa0d6c30698f0ffead32fec431bf46c6d93b40139c87da498f66d85db03e180b6840a83e38193a87c557938431341f01c5aa0

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 a2cf03c92a9ba9f14887946beff4addd
SHA1 954a835b6810f766f2fb28a3b14678225d8b73d1
SHA256 0b972506b144954f83274e93c8add97983f834cad47dd2a55e1935f2c2d4c9de
SHA512 753bd54227e0878599b99b7bdd0c68a80798203add6dc0f280d9b77f9f451dc68a5faaf6b21d5f1667f5b2af6e1e42938b0b0accbb9df9b42afd1922bd9415fe

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

memory/1200-415-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 5f492c5ba94d6a41ceddcf10d5258efc
SHA1 173a9e157806cc55192504ceba316bdf1c1bd670
SHA256 2a0d1b759fa4ebad516f914594deb9b677beb97c14b1d7f4f6e0534ffbe51bed
SHA512 ae0d68ab9aa2fa3e578fd25475774427de0e65dbae4fdd95c265b693441566087689566336971e7ed34d010e59b288490975442ff46cfdb5b70053b215dbfc12

memory/2664-436-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ca93fb3d4ffebbd18a948dcf8329957
SHA1 6485e2815da6a6aee8ae7e85a6b49843c06da907
SHA256 d1f35d5dbde3b82e0d0d39dc1d5d6e4f04f5a20e8f3acf4369d590181884277f
SHA512 002b51adba4debafd880a855f98573987f665d9989bd8f5b8cb210f613e3bb168675f1a144a79f050c554c9ae0910ec02f6f01f3a0b24cd70f613d16d769c3fb

memory/2320-488-0x0000000000880000-0x0000000000980000-memory.dmp

memory/1200-503-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1200-509-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 b099f708b9c5b20252d6cd807f58c0cf
SHA1 7935cb7a7081aebb49f0e08bac24e0326c827b97
SHA256 e2e3aa82268a72034f456e36e5da51f68c20cd4894760eeb1c2cc9e8cb920cb6
SHA512 f8e0a02871ce948a2623d8a92eea80c68751b5ce558cdc1dbd4ab1a24c95ee4aea12556c4a28852a8d22321f0302b5c081f5c3c14b506f6f94938d8c349a66c3

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 66d807077e3cf9cf4628b6d78e4b3f35
SHA1 f984eac178c43b85c20919831e3c1c495b32aeaa
SHA256 e571a6fe410e2607d9ac5105796b318c05820e15925666c3231ba403a3fb75d5
SHA512 8893ea662a939151749c56c168f2b0fb5700c4f2c2aaf09a0382a88fbeb43b1c2021b93e26e6023264763d2ef7129a3bc620f8c4ffc49de981dad3cf41a5257b

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 a6e7281b25e92468c451434fa8ab45b1
SHA1 3e524fe95885c02272b6171a5aa8c91de2797c68
SHA256 fe61379f35c2ce8aadf4a1b5d0df67b915da5e68c3f527676410cd14ebffb040
SHA512 fa54deab5b6363d4832d5b2f7aace7a78966942936a0a3be31d23586dbad8c34024f5855d9b75524eab9579f4447f6918868f635ffe3d587eacb48953cef1903

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Windows\windefender.exe

MD5 db4568248637d138cd979dd0ab07716a
SHA1 1dade0abf38232fdf4113de926692b2391c65af7
SHA256 01ba9d35c4f58a7c04cd2957a204794f62d7c04782bc4d9f74127c8a33f3a3ae
SHA512 fc93294961b67fb378f1fc76f00a759d586741fe80b04198d54602ec97b6e0cf7e2dc2c46a4aad1dc1f5e7041f114b2f23505bfb754c101c9f465b997341b1f6

memory/1704-550-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 717c8e39887363435fd56b3e8dda0339
SHA1 9fb784f0fec788b21d91393b9514d753ff4d108d
SHA256 1e3d04f4bef851af0865db164b5806e7dd9c2043e9d057e5848a5462322701f5
SHA512 cb98ecffda239b65e8f31461ebd47631a00b77ba6c255a67f9c8b1d6faf344156aab74ef539bd282273dc751b91f49c95ec694f9904806d394e80d2172cd8363

C:\Windows\windefender.exe

MD5 acc81fb2816e38f832eb5967aa47b8ae
SHA1 fd447a435a962e47844a08c698367d0cc92ffd0f
SHA256 742d6cdfd7205e4aaca81dd131349b95eebb17eefeef2e1451ddfe58d185650d
SHA512 f60c166136c3de32380db58eb563faffdfef7f84ace22489410da7907f085ccf13f4aee967990aeb7ca9e3a3483e7ddaf7b9d1937c7af8e8d2210c5abcc9a230

memory/1680-554-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1704-556-0x0000000000400000-0x00000000008DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 01:54

Reported

2024-02-22 01:57

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5953d43e-fb0a-4ac4-8520-990531719594\\15D5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\15D5.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\15D5.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\5953d43e-fb0a-4ac4-8520-990531719594\\15D5.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\15D5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9654.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9654.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9654.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3280 wrote to memory of 3040 N/A N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3280 wrote to memory of 3040 N/A N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3280 wrote to memory of 3040 N/A N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3040 wrote to memory of 652 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 652 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Windows\SysWOW64\icacls.exe
PID 652 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Windows\SysWOW64\icacls.exe
PID 652 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Windows\SysWOW64\icacls.exe
PID 652 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 652 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 652 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 860 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\15D5.exe C:\Users\Admin\AppData\Local\Temp\15D5.exe
PID 3280 wrote to memory of 3624 N/A N/A C:\Users\Admin\AppData\Local\Temp\2547.exe
PID 3280 wrote to memory of 3624 N/A N/A C:\Users\Admin\AppData\Local\Temp\2547.exe
PID 3280 wrote to memory of 3624 N/A N/A C:\Users\Admin\AppData\Local\Temp\2547.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3624 wrote to memory of 2996 N/A C:\Users\Admin\AppData\Local\Temp\2547.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3280 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe
PID 3280 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe
PID 3280 wrote to memory of 1184 N/A N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe
PID 3280 wrote to memory of 4392 N/A N/A C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 4392 N/A N/A C:\Windows\system32\cmd.exe
PID 4392 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4392 wrote to memory of 2324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3280 wrote to memory of 4184 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F7D.exe
PID 3280 wrote to memory of 4184 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F7D.exe
PID 3280 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9654.exe
PID 3280 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9654.exe
PID 3280 wrote to memory of 2816 N/A N/A C:\Users\Admin\AppData\Local\Temp\9654.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2816 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 988 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\system32\cmd.exe
PID 1316 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\system32\cmd.exe
PID 2324 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2324 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1316 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1316 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\9654.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\15D5.exe

C:\Users\Admin\AppData\Local\Temp\15D5.exe

C:\Users\Admin\AppData\Local\Temp\15D5.exe

C:\Users\Admin\AppData\Local\Temp\15D5.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\5953d43e-fb0a-4ac4-8520-990531719594" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\15D5.exe

"C:\Users\Admin\AppData\Local\Temp\15D5.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\15D5.exe

"C:\Users\Admin\AppData\Local\Temp\15D5.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1688 -ip 1688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1688 -s 568

C:\Users\Admin\AppData\Local\Temp\2547.exe

C:\Users\Admin\AppData\Local\Temp\2547.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\78B7.exe

C:\Users\Admin\AppData\Local\Temp\78B7.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7C81.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8F7D.exe

C:\Users\Admin\AppData\Local\Temp\8F7D.exe

C:\Users\Admin\AppData\Local\Temp\9654.exe

C:\Users\Admin\AppData\Local\Temp\9654.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9654.exe

"C:\Users\Admin\AppData\Local\Temp\9654.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 182.126.12.185.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
MX 187.156.75.116:80 brusuax.com tcp
US 8.8.8.8:53 116.75.156.187.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 bmtech-electronic.fr udp
FR 185.135.132.104:443 bmtech-electronic.fr tcp
US 8.8.8.8:53 104.132.135.185.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 notmalware.top udp
RU 5.188.88.181:80 notmalware.top tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 181.88.188.5.in-addr.arpa udp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.11.21.104.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
NL 45.134.254.172:80 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 5d3b81e9-dd00-4498-a905-5407499de251.uuid.statstraffic.org udp
US 8.8.8.8:53 server13.statstraffic.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server13.statstraffic.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 172.67.212.188:443 walkinglate.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 188.212.67.172.in-addr.arpa udp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp
BG 185.82.216.104:443 server13.statstraffic.org tcp

Files

memory/2212-1-0x0000000000830000-0x0000000000930000-memory.dmp

memory/2212-2-0x0000000002420000-0x000000000242B000-memory.dmp

memory/2212-3-0x0000000000400000-0x0000000000817000-memory.dmp

memory/3280-4-0x0000000002E60000-0x0000000002E76000-memory.dmp

memory/2212-5-0x0000000000400000-0x0000000000817000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15D5.exe

MD5 9d9114ab84aa79f8a22356d35ce7fd66
SHA1 80ace18221477538d8219bd0495e79875c334fa7
SHA256 05cff8cebc34d942d16d5fe3eae68ceb3420e96264819f8dd3fd6bb28028e514
SHA512 ba12481c78ab484781fb3466f28140f653230fa8b947a3afe4327621195de259258587c143f4e79a2dc5658439216b9fa11b337ec4c7794d910ce1262c915968

memory/3040-16-0x0000000004A00000-0x0000000004A9F000-memory.dmp

memory/3040-17-0x0000000004B70000-0x0000000004C8B000-memory.dmp

memory/652-18-0x0000000000400000-0x0000000000537000-memory.dmp

memory/652-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/652-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/652-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/652-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/860-37-0x00000000048F0000-0x0000000004986000-memory.dmp

memory/1688-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1688-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1688-43-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2547.exe

MD5 820bc0398778528a79c639a9c1d9fceb
SHA1 b4d6633456ecfd1488c267abad140d3f765166c3
SHA256 ac847ca2a4f39ced778cb7724ee175e1c8130f6d0edf8eb75d495d02225ecab6
SHA512 0fb054b5f08759bda57e2106963f3e8c99b5104ba41588d0b6041047710526551ee8037804e3d989f867d46f6230c5dec8b96fc18491b13139ceb60c9b624b85

memory/3624-49-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/3624-52-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/3624-51-0x0000000004A40000-0x0000000004A9C000-memory.dmp

memory/3624-54-0x0000000004B60000-0x0000000005104000-memory.dmp

memory/3624-55-0x0000000005110000-0x000000000516A000-memory.dmp

memory/3624-56-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/2996-59-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2996-63-0x00000000054B0000-0x0000000005542000-memory.dmp

memory/3624-62-0x0000000002520000-0x0000000004520000-memory.dmp

memory/3624-64-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/2996-66-0x0000000073B50000-0x0000000074300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78B7.exe

MD5 479342d62078aaf31881972c7574f6f2
SHA1 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256 a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA512 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

memory/1184-70-0x0000000000CA0000-0x0000000001777000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7C81.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1184-80-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1184-79-0x0000000000700000-0x0000000000701000-memory.dmp

memory/1184-81-0x0000000000C90000-0x0000000000C91000-memory.dmp

memory/1184-83-0x0000000000CA0000-0x0000000001777000-memory.dmp

memory/1184-84-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/1184-82-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/1184-87-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/1184-86-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/1184-85-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/1184-88-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/1184-91-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/1184-89-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/1184-92-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/1184-90-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/1184-93-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/1184-95-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/1184-94-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/1184-96-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/1184-97-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/1184-98-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/1184-99-0x0000000000CA0000-0x0000000001777000-memory.dmp

memory/2996-101-0x0000000073B50000-0x0000000074300000-memory.dmp

memory/1184-102-0x0000000003090000-0x0000000003190000-memory.dmp

memory/1184-103-0x0000000002F30000-0x0000000002F62000-memory.dmp

memory/1184-104-0x0000000002F30000-0x0000000002F62000-memory.dmp

memory/1184-105-0x0000000002F30000-0x0000000002F62000-memory.dmp

memory/1184-106-0x0000000002F30000-0x0000000002F62000-memory.dmp

memory/1184-107-0x0000000000CA0000-0x0000000001777000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F7D.exe

MD5 b2b4879290de8e43ccbcd92b507de1cd
SHA1 de32697442f04035415d6c89d3398f778ed50bf2
SHA256 3800084470a4fde43467a91cba0e08399f7bdf70b0f03af2f99c282b18f1aa49
SHA512 179ffc5976e0a9a033816863cbb71ca0b8bc513e3f93a0da9773da1b7b5f3109d1442623f13482dd2a5632694262d5497e10c434149eb267ed028318c45a0bf1

C:\Users\Admin\AppData\Local\Temp\9654.exe

MD5 02918300e22e657baba70691b738ce12
SHA1 1fbfb963370dfceb62b270d348c6b35ca03b4715
SHA256 2a411824ee17b6546edb1d5d8144bf49d4e58c51b7a4c98fcec51198f7032cad
SHA512 af63db2688208bcb06bd441f74d97d61e9451554f30cc616b7222d1085c8d84109d02359021d163de86f4753090500810efac38adda9cb8713a856d0d19a0747

memory/2816-117-0x0000000004E80000-0x0000000005279000-memory.dmp

memory/2816-118-0x0000000005280000-0x0000000005B6B000-memory.dmp

memory/2816-119-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1732-120-0x0000000004580000-0x00000000045B6000-memory.dmp

memory/1732-121-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/1732-122-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/1732-123-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/1732-124-0x0000000004BF0000-0x0000000005218000-memory.dmp

memory/1732-125-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sc03ktd2.xr1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1732-126-0x0000000005410000-0x0000000005476000-memory.dmp

memory/1732-132-0x00000000054F0000-0x0000000005556000-memory.dmp

memory/1732-137-0x00000000056A0000-0x00000000059F4000-memory.dmp

memory/1732-138-0x0000000005BB0000-0x0000000005BCE000-memory.dmp

memory/1732-139-0x0000000005BF0000-0x0000000005C3C000-memory.dmp

memory/1732-140-0x00000000060D0000-0x0000000006114000-memory.dmp

memory/2816-141-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1732-142-0x00000000024C0000-0x00000000024D0000-memory.dmp

memory/1732-143-0x0000000006ED0000-0x0000000006F46000-memory.dmp

memory/1732-144-0x00000000075D0000-0x0000000007C4A000-memory.dmp

memory/1732-145-0x0000000006F70000-0x0000000006F8A000-memory.dmp

memory/2816-146-0x0000000004E80000-0x0000000005279000-memory.dmp

memory/1732-147-0x000000007FB00000-0x000000007FB10000-memory.dmp

memory/1732-148-0x0000000007130000-0x0000000007162000-memory.dmp

memory/1732-149-0x0000000070200000-0x000000007024C000-memory.dmp

memory/1732-150-0x0000000070380000-0x00000000706D4000-memory.dmp

memory/1732-160-0x0000000007110000-0x000000000712E000-memory.dmp

memory/1732-161-0x0000000007170000-0x0000000007213000-memory.dmp

memory/1732-162-0x0000000007260000-0x000000000726A000-memory.dmp

memory/1732-163-0x0000000007320000-0x00000000073B6000-memory.dmp

memory/1732-164-0x0000000007280000-0x0000000007291000-memory.dmp

memory/1732-165-0x00000000072C0000-0x00000000072CE000-memory.dmp

memory/1732-166-0x00000000072D0000-0x00000000072E4000-memory.dmp

memory/2816-167-0x0000000005280000-0x0000000005B6B000-memory.dmp

memory/1732-168-0x00000000073C0000-0x00000000073DA000-memory.dmp

memory/1732-169-0x0000000007310000-0x0000000007318000-memory.dmp

memory/1732-171-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/2816-174-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1316-175-0x0000000004D80000-0x0000000005185000-memory.dmp

memory/2816-176-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1316-177-0x0000000000400000-0x0000000003118000-memory.dmp

memory/988-178-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/1316-206-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 dba357be8e0f06523ea7b61e82c493fb
SHA1 fc53ced112265400c55b5cc3ec2e754da2ac3e65
SHA256 87fe43113219e209c492e1c6fa6c96acfa285b5a0f32890e27a08baf4428b46a
SHA512 9a67c44ad7b1bed0d52cdbf5b3257715e2920b63d55aebcc76ca0e109af62d5fd70613408777a0d086c35b2c26ca842d0e06d9cc39fb11235a25b75bb1f27047

memory/1316-243-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9cf279f9935690199eeebf2481a07f17
SHA1 01ff7d722b85db63031a85be91f856ae5c4ec6fe
SHA256 d439a9d998d6812efb7ef67cf5cdce4aa550614f67e65680640fda1096df0cfb
SHA512 5c66c5064f9075e8f185b87b02cb4f8295f0d30889869ec53ec407d67d1deb9ef633632ac7ada69c14516cb19f6d8ed8a0659bd24dc6a8bb71ddffa70bb14b78

memory/1316-274-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 21cdb267361712025b39a62ff7e37bd6
SHA1 19ccb9d3493f28bb90eb23b910a9192f1eae9bcb
SHA256 c245dd216df5d2c3e7d8efaf2acf861e4a6ab14b18db636e5fba7625981f5c3c
SHA512 a6ed02856073fba55c92d25e7304ccdfa75c04518ed8b287dce15b6122a966023c2ce80255f814076c10dc729625544c81eb0453cf254ab46d211202fac9b4bb

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 11da6d8442d6e41faef6661377513c48
SHA1 8e6cc9eef89fde9af49543df0406e8a0760e6dca
SHA256 eb3502178f9523fe5188da545923cf9352018bafba61c43090de1654af40bbb1
SHA512 6874113fb2f4f4ec8e38d93315af0c820d3bc805cab448d662b2110eb166ab9385293091a92f8a7257ae63ee85b7a2148121dfde03187f2fb5c72dd6272faa0f

memory/740-342-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 780f6c5e1520f58801fc8b9cee78ae5f
SHA1 e82ef0d221abb5666efedda28fd283ff244e372e
SHA256 507f943ba3862a583bffd0086019bae54a01cdb4a0ad74171b98a2843c45cce4
SHA512 258e8d76ab3814f3de31be30cfa4175b1b70d9065ed5e1d4047700f29f908aa53cebb862b12f5bc079444a82ca03236b4e8b8ba54ab8769c1f5e9f67db15a662

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/740-376-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1568-384-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/740-386-0x0000000000400000-0x0000000003118000-memory.dmp