Malware Analysis Report

2024-11-30 04:53

Sample ID 240222-tdb3tsca5v
Target 6958ACC382E71103A0B83D20BBBB37D2.exe
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Tags
dcrat djvu glupteba smokeloader vidar 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Threat Level: Known bad

The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan lumma

Detect Vidar Stealer

Detected Djvu ransomware

Djvu Ransomware

SmokeLoader

DcRat

Vidar

Lumma Stealer

Glupteba payload

Windows security bypass

Glupteba

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Downloads MZ/PE file

Drops file in Drivers directory

Deletes itself

Executes dropped EXE

Windows security modification

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Manipulates WinMonFS driver.

Checks installed software on the system

Adds Run key to start application

Manipulates WinMon driver.

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies system certificate store

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: MapViewOfSection

Runs ping.exe

Enumerates processes with tasklist

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 15:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 15:56

Reported

2024-02-22 15:58

Platform

win7-20240221-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2335aea-a39b-4923-a774-bce038c3ada9\\F4DB.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\E0D2.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\E0D2.exe = "0" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c2335aea-a39b-4923-a774-bce038c3ada9\\F4DB.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F4DB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240222155741.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\E0D2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F330.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 2516 N/A N/A C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 2516 N/A N/A C:\Windows\system32\cmd.exe
PID 1364 wrote to memory of 2516 N/A N/A C:\Windows\system32\cmd.exe
PID 2516 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2516 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2516 wrote to memory of 2544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1364 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 1364 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 1364 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 1364 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2376 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2504 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Windows\SysWOW64\icacls.exe
PID 2504 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Windows\SysWOW64\icacls.exe
PID 2504 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Windows\SysWOW64\icacls.exe
PID 2504 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Windows\SysWOW64\icacls.exe
PID 2504 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2504 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2504 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2504 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 2724 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\Temp\F4DB.exe
PID 1412 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 1412 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 1412 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 1412 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 2068 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe
PID 1412 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe
PID 1412 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe
PID 1412 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe
PID 1412 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\F4DB.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe
PID 1364 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\44DF.exe
PID 1364 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\44DF.exe
PID 1364 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\44DF.exe
PID 1364 wrote to memory of 1580 N/A N/A C:\Users\Admin\AppData\Local\Temp\44DF.exe
PID 620 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\D46F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\F4DB.exe

C:\Users\Admin\AppData\Local\Temp\F4DB.exe

C:\Users\Admin\AppData\Local\Temp\F4DB.exe

C:\Users\Admin\AppData\Local\Temp\F4DB.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c2335aea-a39b-4923-a774-bce038c3ada9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\F4DB.exe

"C:\Users\Admin\AppData\Local\Temp\F4DB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F4DB.exe

"C:\Users\Admin\AppData\Local\Temp\F4DB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe

"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe"

C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe

"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe"

C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe

"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe"

C:\Users\Admin\AppData\Local\Temp\44DF.exe

C:\Users\Admin\AppData\Local\Temp\44DF.exe

C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe

"C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\565D.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 128

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1460

C:\Users\Admin\AppData\Local\Temp\E0D2.exe

C:\Users\Admin\AppData\Local\Temp\E0D2.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222155741.log C:\Windows\Logs\CBS\CbsPersist_20240222155741.cab

C:\Users\Admin\AppData\Local\Temp\EF19.exe

C:\Users\Admin\AppData\Local\Temp\EF19.exe

C:\Users\Admin\AppData\Local\Temp\F330.exe

C:\Users\Admin\AppData\Local\Temp\F330.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit

C:\Users\Admin\AppData\Local\Temp\E0D2.exe

"C:\Users\Admin\AppData\Local\Temp\E0D2.exe"

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\cmd.exe

cmd /c md 21758

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 21758\Upgrades.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Meaning 21758\Z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif

21758\Upgrades.pif 21758\Z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\taskeng.exe

taskeng.exe {903D9B52-DFB1-4FF4-A332-93B3C5E3AB5B} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
PE 190.187.52.42:80 brusuax.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
PE 190.187.52.42:80 brusuax.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 habrafa.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
PA 200.46.202.73:80 habrafa.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
PA 200.46.202.73:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
FI 95.217.29.171:443 95.217.29.171 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
FI 95.217.29.171:443 95.217.29.171 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
FI 95.217.29.171:443 95.217.29.171 tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
FI 95.217.29.171:443 95.217.29.171 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 notmalware.top udp
RU 5.188.88.181:80 notmalware.top tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 104.21.51.193:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
DE 185.149.146.82:80 185.149.146.82 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC udp
US 8.8.8.8:53 6bed9fd5-08c5-4f99-85c0-32f1f1f7c8a4.uuid.localstats.org udp
US 8.8.8.8:53 r.l1nc0in.ru udp
US 104.21.58.54:80 r.l1nc0in.ru tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 server12.localstats.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
ZA 74.125.27.36:19302 stun4.l.google.com udp
BG 185.82.216.111:443 server12.localstats.org tcp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp

Files

memory/1720-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1720-1-0x0000000000600000-0x0000000000700000-memory.dmp

memory/1720-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1364-4-0x00000000025C0000-0x00000000025D6000-memory.dmp

memory/1720-8-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1720-5-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D46F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\F4DB.exe

MD5 5648348e81a70ef7ab40f963b44713f6
SHA1 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7
SHA256 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d
SHA512 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f

memory/2376-27-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2376-28-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2504-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2376-31-0x00000000008A0000-0x00000000009BB000-memory.dmp

memory/2504-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2504-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2504-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2504-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2724-61-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/2724-62-0x0000000000330000-0x00000000003C2000-memory.dmp

memory/1412-69-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-70-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 04e1c0fb7c50efaf86ba32ac99af0cd4
SHA1 844aeeaba2b3c0a23a3f3580ee9eafde8eee9aa0
SHA256 59cd12f0b76ce31550e9068fed1da5c917f8b4361ef4f3c62c9522473162705a
SHA512 3394f7025fe90250bc8ae1caeba12ec23019a31c1762e5ab757cd874ff33160b1596be9bb079b5641b7476c306c8ebd520fab5f00a0dca06372c67387f21ce40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0fc7fd4e9436d6ddfc9330ada2aed490
SHA1 f223486cd69f5b8c0a8f0763fad9ecf783159366
SHA256 ed4046de6ded153893856e122a91fe8c1a81e4acc3cee5bde3be407dfe0c99aa
SHA512 17f7e1ff1e1b2158f105dd093631d02d98be574a926940ad5d60c5b484f8163e42e57f1e1ae94f27ff564ca0ab63765bf3fc2ae81ad75a48312bbb10b7402ab1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 31ef2da866f96e78a00fc9e18d660a80
SHA1 893276a843f849798bb01cec3eda7fbe8b97052c
SHA256 e3502879afb5ecddd4ffeb1cd6b0d6f22af323e0618535d07f8f85714512dda2
SHA512 ea730569172877dd60c66bf0adf2f02591209170e11b07e33a41c56761e5bfd48c999dbe161c301b2efc5e011d8b49c070a33fe55211d3c6334cb0b2634fbfdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45efa9b472bd53c150a425f28d5e324f
SHA1 51ac28f0d1e624b2309b648d63befedcd8d0c2b6
SHA256 1f09ea9bc8dff6f0e6dc464976df405d9ea51a2170f31d57d71918ff995a9244
SHA512 495a559747434f4b1f19f0757da310e2cbe92cf5176590f699e2511ebb675b6a962846fc6d035aae14f4ee1d4f09eaa950b09493c6ed291659a2f6702eb82895

C:\Users\Admin\AppData\Local\Temp\CabA0F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1412-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-84-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1412-91-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build2.exe

MD5 c6d3d647baad8a5b93b81d2487f4f072
SHA1 e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA256 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA512 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

memory/2068-104-0x00000000005F0000-0x00000000006F0000-memory.dmp

memory/2068-107-0x0000000000230000-0x0000000000266000-memory.dmp

memory/2764-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2764-109-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2764-112-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2764-114-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1412-113-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\7ceaf7e2-4b2c-491c-868e-576821257446\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1412-121-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar3ADF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0499ebaa2ae5d076fc6b749f71e62d3
SHA1 0ed759b10a102c18da701fe311175774ae6578e2
SHA256 13d335db0e893aad0fbbc74147838d5a9b01dac5b9e3c4ffd4e60ded8f66ab80
SHA512 19e5b0dd83bd41c3857f8f51143b897efb7167eecbccb5bb9fa7dea4823a03cb54f115c37f0204af926976d82b8da9e94a03d0aa98103890c62144b8f46e4947

memory/2764-181-0x0000000000400000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44DF.exe

MD5 5df8f343b9d2649849a7a8db8137c1dd
SHA1 1dd3f72eb0857a64164333a1fc793c41050fb1ef
SHA256 50b094b81aecdd5af82c7bb21027dc16e192fea3db1f8ee64fe0b9397b9c7394
SHA512 2eb592bf895e5889e1d28bd179c8d47198a2d0481642d88d6b76a1e5be1edcb2e1e7da71a1f8be9af0397c1c0839d3338e0a1d443e41764adb373ee91ce22060

memory/1580-203-0x0000000000EA0000-0x0000000001977000-memory.dmp

memory/1580-211-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1580-209-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1580-213-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1580-224-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1580-223-0x0000000000EA0000-0x0000000001977000-memory.dmp

memory/1580-226-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-227-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2692-234-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/620-236-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/2692-239-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1580-238-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1580-233-0x0000000000110000-0x0000000000111000-memory.dmp

memory/620-232-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1580-230-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2692-253-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2692-257-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1580-258-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1580-254-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1580-260-0x0000000000120000-0x0000000000121000-memory.dmp

memory/1580-244-0x0000000077400000-0x0000000077401000-memory.dmp

memory/1580-243-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1580-261-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1580-262-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-268-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-273-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/2764-279-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1580-281-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-288-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-293-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-300-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-309-0x0000000077400000-0x0000000077401000-memory.dmp

memory/1580-314-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-339-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-343-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-356-0x00000000773FF000-0x0000000077400000-memory.dmp

memory/1580-357-0x0000000000200000-0x0000000000201000-memory.dmp

\Users\Admin\AppData\Local\Temp\44DF.exe

MD5 861ae53aa28b607d949835a9db78fbd9
SHA1 ece2bfb5c26dc46de2b8ad8b94047d8bc3d8635a
SHA256 3fbf6a4a1ea8638e156d607a21ba808c876a1130c24b085d6d9ebc2c396ac9a0
SHA512 d4f56daa11ac4fff5dbe6bf60929388cc12550dcb8d8ff57bc57c0bd9eda984a65a6674935dcff7d9784b7a7a28bf4d0e80cbbef2a66b621527aa9e2ce14f537

\Users\Admin\AppData\Local\Temp\44DF.exe

MD5 32a1119e9e052e87c2191ff1e024828a
SHA1 332630a9ce5cc83ee5b94916795b7b16efee2943
SHA256 9e880055edb669dd2c720796a023270066da47c7d0982cf541e25773eaf112b3
SHA512 d5d333924a0d20d786c2d76b66a9b176293dbb9e7f40b0652b67a9cacbc3fb76eec6d1a8f9a0a0abad26493f5044d7a50f5a16b5cf1f39d057f88459e5084c00

\Users\Admin\AppData\Local\Temp\44DF.exe

MD5 bd14e0e7edbee808863f6fa75a3147cd
SHA1 b46a3078b72b1ec0299c21cc416a534f10d122ae
SHA256 c454256378db1286cce2edc08d069de98a439ec2f2741b8da57d414401bf61cf
SHA512 2d137aedac74246660f509138b983c118af894fb796da51edd1bb51f42a708c4785b29df75fba6cda72dbf9782fd93ee0fa1c44f8c4a5f2e35a83e3c2f355f89

\Users\Admin\AppData\Local\Temp\44DF.exe

MD5 2f862fc32746d7524a00c07e2bf58d78
SHA1 15d09a77c9c84048f66a44aa19b837c2d5f040ca
SHA256 ddd4bcde4a6464f0c9698eded820023f0dbfa354b290a1717eb953c9f6fdfc68
SHA512 6f86851f9b09a4b0151d2e6e92219a7706d4e9507e0a98cc55e2c9b7b113426409209a3ae6b237bd3cf0b788430e00cbd27a8e307538d133d59c271f321edfd2

\Users\Admin\AppData\Local\Temp\44DF.exe

MD5 f44bd1b33f6d53a22cd84b75a4ed6c68
SHA1 17d94afeca022f067c37f018a91c923050967f1e
SHA256 8f45c8689c3037b835cb6b65aa3032d934b5ff73395b67fb5511bf948f32bad5
SHA512 558045e9358652121d09dcbdb7cd515fd1498359f50445df3c27cb8e39ea6a9853a776c7676db17eccba180edf8eac2391348f323943a900b804a5d9ec639b0a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ebe8368e36388c685d993e083fbae1d
SHA1 0b38cfd6824417faf4d86c437bfe4444a125e497
SHA256 9c305cf70e8c001bf5442ce4c3667e8b27e14ca4b4d6668c67e9e4bbb7bdeb1d
SHA512 b0607a22d73c8147a3d9b0e6207d2bf9bce311a2290364db2aa69d0308aa37a3ce5b44973508e9e562363f33ef86b9d69875e37e9f60f27201169ba1317617c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79db5b7f04d7ceadbc93e4eeef7e09a6
SHA1 ca144196081ea2a624ce55e078f130bd01f9e005
SHA256 a05c66ebfecf850de2fe9e3e06138cd27399ebf3c4d555f03d8f68eea3dc2903
SHA512 dcf0d01d5f95f8d72c0d1e1fcfc8966476e20be1ca4b86a6187ab6a72cb3faae6c6d56b18b14cd5d687e5fe5e492b48c44595dde125d5b84bddb4a7b51c44721

C:\Users\Admin\AppData\Local\Temp\E0D2.exe

MD5 c9e01ab6208b39a9f1a1253dca7e89bc
SHA1 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb
SHA256 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8
SHA512 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1

memory/2052-489-0x0000000002810000-0x0000000002C08000-memory.dmp

memory/2052-490-0x0000000002C10000-0x00000000034FB000-memory.dmp

memory/2052-491-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF19.exe

MD5 14c94c064e19e7f27fb2f540b3488f78
SHA1 19dddef106245f41bca6f0a60a98dbdd479f6e42
SHA256 9b152367f59b72a872d3bd65252fd0a9b810da375659a61c5f69b67108a76582
SHA512 a3a96a4ee3c903a67f5e76f613192d3e3e0162fbb119a9445d4f1447a24ebac5444d56cdb4c4d66fad2c504075b3c3b1855e97d6806f439d87c424a58989802a

C:\Users\Admin\AppData\Local\Temp\F330.exe

MD5 3d3ae7c2eddea19c3146543b95cdda7e
SHA1 ea36133e7bfc1b57cd8e78a6daf24f59526ceba0
SHA256 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2
SHA512 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely

MD5 19bc1bbe515dee767f02d503fa9d2cff
SHA1 acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9
SHA256 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367
SHA512 fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac

C:\Users\Admin\AppData\Local\Temp\E0D2.exe

MD5 b353d4d5da37ad267ec9fe9cd09dac8a
SHA1 6d1d4b493c599135f962ffa26f809ab6db83b0fe
SHA256 e844f6f11287e884eaec91fd3c740ec4cab68c81e7e4ad1a85f245a3a4cb4d72
SHA512 6daef3f290f6f6d38315b434fa16f37b399c20b5dc427f3468ff58c66f864c5256a35aeb2466fff9cbe134ae23c3d3ef4a3f75635bc388a332d83a302bca698f

memory/2052-523-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2052-524-0x0000000002C10000-0x00000000034FB000-memory.dmp

memory/1812-525-0x0000000001360000-0x000000000136A000-memory.dmp

memory/1812-526-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

memory/1540-528-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/1540-529-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia

MD5 4e9db9155039f5a6a04e16a6a6bfe3b0
SHA1 b293c7fe05d7e92ce7d9cc6f36940eba14f5d460
SHA256 bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d
SHA512 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements

MD5 d7563558933a24bd74f0254272cf7830
SHA1 6982d08318ff2204d3714ce12d68a99b4f726fe7
SHA256 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e
SHA512 fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning

MD5 a6c58504594ab91fc0ca6102abd10e80
SHA1 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6
SHA256 b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7
SHA512 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords

MD5 334f84837c9bcece9220e2c979503f68
SHA1 bdbdc63f1b85f72f8cf487dec6aaeb98e352c283
SHA256 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7
SHA512 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td

MD5 e32d058720e98d0fab73018ce1753b55
SHA1 f6b431cf3f225c3563591fbec4af922f6bff05d9
SHA256 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b
SHA512 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21758\Upgrades.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here

MD5 1e7e25167c2a8f93c2d176e935b21834
SHA1 95b93372222ebde1bed0e0efec167bdda7ef04bc
SHA256 d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736
SHA512 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1

memory/3024-543-0x00000000773F0000-0x00000000774C6000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1dfffb99621b2a3a1a1330668f730c18
SHA1 8f91b9512d52317fdb1c93b1e29967a5ba9c8097
SHA256 944abcd3fe150890a9a1c5ec6df44222facecb3bc602dba44b1d8b96f8d2131e
SHA512 e081da0a655605d5f7c2f598b8fc737d6bc04155200e4f110d5539abd1392619f4ef926da872377fb0f4fb5bfabe56839cac336c2f2c2e0b5427595db984c19a

\Windows\rss\csrss.exe

MD5 0f38e0f6845f85699d91209997ee5cfa
SHA1 def4f6666a54d6f911f289c2aaa83c012bbbdd8d
SHA256 40315c8b55a3f3d109c3b2bf83b3e8624fe3c42c7b60d8d171f76b32d1ba21d7
SHA512 32cd2263978b178c18d583796ac937991b298a1d9138cbda4727bd7afb13602678ceb6b795693272a2128d5fad04d201290c9ac4f1c03ec99537df24bde1ffdc

\Windows\rss\csrss.exe

MD5 85628295f9d51e5c1b5cb93381457a13
SHA1 f059d31450811d832643d3a2b3f8dd4e504eb428
SHA256 2e75e061f13ab2108421b761c96f4ba579a43fc8e24867350ccbc45e9ec78fe5
SHA512 55654a6e486bd34a367a6a2d365c4974ba3da7217b5ede4b9450e4cbb2765b8869e103572bb9755da21a8f278437c5c42e26976c7426e01fe1efdf2fb1a9c08c

memory/1540-554-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1540-556-0x0000000002740000-0x0000000002B38000-memory.dmp

memory/960-557-0x00000000025D0000-0x00000000029C8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 4407f3e8fd1529328263d15c1911f384
SHA1 7ae679882398ce4878f0a0ee4116cd4587e29dd2
SHA256 2a08927b113f12104d8a3c5e743241d9b9a28dacdde0a0bc1fcfe97bc0f58d0c
SHA512 eb71f9738b9f28f86ee0c41c729667979081d990f1e38db8c0b4072f9e32f94f71e21e961470387d703811c13d3f619a3634d85d3da4a0dc3102477c26eb8d74

memory/960-559-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1812-560-0x0000000001260000-0x00000000012E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 4df48318a1c4345ba7a0baeb8a38ce18
SHA1 56a8920501e61a4f6f39505012e009466a2de361
SHA256 737932c0bfb98c5a2232643a115889910d0bc28e58506e9dbb8b9a9f8fefc19b
SHA512 410bb70b67c67c7f3540293625f21a56f5054e32341856e81f4056533980d56a4fb215754e77390fc231c3e1eff29577f32fdde5b60248026cf933a71e3de454

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 80186ddb0b3bf88a09d324e6513bbbbf
SHA1 7d78af42244c6f2f619dff97f7f03bedd92e1c03
SHA256 41c1623a1ed8bdb2725d452c5a2176775556601b271bc03c105f04b4ea1b61fe
SHA512 73903bbcfaa66d71c6a8b52f6bbadbd877dc008bdd2def94d42f6ea7a41e70d9f68b5de4c9b8ec101ee77a813b959792930cc4d32bfaf4948b6dece63d7cfec0

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 02feacd692d74c7a3bd4139519ace805
SHA1 116255e3d00c7e1e5df92e3b50290072a0eacca3
SHA256 57a299a2afabf6ef193c2a77ba5cc7ce6c2cec816b7934b00c54e1629463997a
SHA512 94cff79ba054125b08f4eb86f8cdd5514da7e0b01077e0bf675d83997c8eed37dcaf3115025fff46652e342bba35c217794167bd71bef01324146599b60b4f82

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 84005d2c02e37230c8203b1929e8d77e
SHA1 c24f830e19260a87eb541f24114fb3a2eed6cb12
SHA256 aec831f541971e7875b9750acadbf59462aea94590442b972cdf3a104ba8b71d
SHA512 f470c5d8023cb3686b9aad2c1310e2485763b1f4fc6f1bcc536c4fbcb8e23019cdc73c1fc1d1a95de33922425c1cadab2ab8b7fa25d37a69dd45ea58c7f97091

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 3a1eb17e9faaf7e43a91af955a614427
SHA1 7d1537d1324aad2c0b4d413a60fe3e39104b57fc
SHA256 1c0f6e536ef45076e006d4a17a8bc4ffc68f5232759d2efb3a7beec3b0caa294
SHA512 5354549aa7d592a998d9daffcfec2c86de29b2659a4643bff2f90c424402bc066251b5341a8a53ae2c316bf64113eee0ceeacaad7a88731b020b321a960e5111

memory/1560-579-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1812-634-0x000007FEF5270000-0x000007FEF5C5C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 8f4ab65de7cf9b00e8a94ee5fb4ad1cf
SHA1 207856abfc6f37b5b0754d3c64876a9119cd47f4
SHA256 0373d9468e733302f4afe53b7b6efd9235ba332945cda33858ad7c79a3a39aa6
SHA512 e697c9b2148c9e80e4be692da233b8e6f0abd17e9503b5d862cc7fb229483ab08ced353004b101891ebcd9495ed5a8a29c78de52bb4041cde96572291106ee13

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

memory/2404-676-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/960-675-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1812-688-0x0000000001260000-0x00000000012E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 15:56

Reported

2024-02-22 15:58

Platform

win10v2004-20240221-en

Max time kernel

85s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e42abc41-a440-4a78-9a14-43b385d904d3\\D41A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D41A.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D41A.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\99A0.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2200714112-3788720386-2559682836-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e42abc41-a440-4a78-9a14-43b385d904d3\\D41A.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D41A.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3948 set thread context of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 set thread context of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9CED.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 4824 N/A N/A C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4824 N/A N/A C:\Windows\system32\cmd.exe
PID 4824 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4824 wrote to memory of 3096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3468 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3468 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3468 wrote to memory of 3948 N/A N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3948 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 1948 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Windows\SysWOW64\icacls.exe
PID 1948 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Windows\SysWOW64\icacls.exe
PID 1948 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Windows\SysWOW64\icacls.exe
PID 1948 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 1948 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 1948 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 4644 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\D41A.exe C:\Users\Admin\AppData\Local\Temp\D41A.exe
PID 3468 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\Temp\934.exe
PID 3468 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\Temp\934.exe
PID 3468 wrote to memory of 3988 N/A N/A C:\Users\Admin\AppData\Local\Temp\934.exe
PID 3468 wrote to memory of 4876 N/A N/A C:\Windows\system32\cmd.exe
PID 3468 wrote to memory of 4876 N/A N/A C:\Windows\system32\cmd.exe
PID 4876 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4876 wrote to memory of 3420 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3468 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D1C.exe
PID 3468 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D1C.exe
PID 3468 wrote to memory of 1952 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D1C.exe
PID 1952 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8D1C.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8D1C.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1952 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\8D1C.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3468 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\99A0.exe
PID 3468 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\99A0.exe
PID 3468 wrote to memory of 4180 N/A N/A C:\Users\Admin\AppData\Local\Temp\99A0.exe
PID 3468 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CED.exe
PID 3468 wrote to memory of 376 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CED.exe
PID 4180 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\99A0.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\99A0.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\99A0.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2392 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2392 wrote to memory of 3752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2392 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2392 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2392 wrote to memory of 3136 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2392 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2392 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2392 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 2392 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BCE7.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\D41A.exe

C:\Users\Admin\AppData\Local\Temp\D41A.exe

C:\Users\Admin\AppData\Local\Temp\D41A.exe

C:\Users\Admin\AppData\Local\Temp\D41A.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e42abc41-a440-4a78-9a14-43b385d904d3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\D41A.exe

"C:\Users\Admin\AppData\Local\Temp\D41A.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D41A.exe

"C:\Users\Admin\AppData\Local\Temp\D41A.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3664 -ip 3664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 568

C:\Users\Admin\AppData\Local\Temp\934.exe

C:\Users\Admin\AppData\Local\Temp\934.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DF8.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\8D1C.exe

C:\Users\Admin\AppData\Local\Temp\8D1C.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\99A0.exe

C:\Users\Admin\AppData\Local\Temp\99A0.exe

C:\Users\Admin\AppData\Local\Temp\9CED.exe

C:\Users\Admin\AppData\Local\Temp\9CED.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\cmd.exe

cmd /c md 21719

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 21719\Upgrades.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Meaning 21719\Z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21719\Upgrades.pif

21719\Upgrades.pif 21719\Z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\8D1C.exe

"C:\Users\Admin\AppData\Local\Temp\8D1C.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 13.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 182.126.12.185.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 123.140.161.243:80 brusuax.com tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 notmalware.top udp
RU 5.188.88.181:80 notmalware.top tcp
US 8.8.8.8:53 181.88.188.5.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 188.114.97.2:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 23.179.17.96.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 188.114.97.2:443 loftproper.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
DE 185.149.146.82:80 185.149.146.82 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 r.l1nc0in.ru udp
US 104.21.58.54:80 r.l1nc0in.ru tcp
US 8.8.8.8:53 82.146.149.185.in-addr.arpa udp
US 8.8.8.8:53 54.58.21.104.in-addr.arpa udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 67e0ea98-a4a2-4042-be82-81b547a82946.uuid.localstats.org udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/1692-2-0x0000000002190000-0x000000000219B000-memory.dmp

memory/1692-1-0x0000000000470000-0x0000000000570000-memory.dmp

memory/1692-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3468-4-0x0000000000F80000-0x0000000000F96000-memory.dmp

memory/1692-5-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCE7.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\D41A.exe

MD5 5648348e81a70ef7ab40f963b44713f6
SHA1 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7
SHA256 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d
SHA512 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f

memory/3948-20-0x00000000024F0000-0x0000000002589000-memory.dmp

memory/3948-21-0x0000000002590000-0x00000000026AB000-memory.dmp

memory/1948-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1948-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1948-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1948-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D41A.exe

MD5 25e2a1d7fbb3141fa9f6224af53647ed
SHA1 3a63db49d5d1eae22abd10bade603364b88651ca
SHA256 f270d2b99b9a02a7673c871e583054df7029048efd78a5c9681418a9d0c5e64a
SHA512 8cdd4d80fdf2079f678ca056132e25dfadd38b58f16d1ae508d50a4d8f39bc020931798854743c98a911a7abd53fc9f0be4534573230b73e9f428d505dbc7d81

memory/1948-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4644-39-0x00000000024E0000-0x0000000002576000-memory.dmp

memory/3664-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-45-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\934.exe

MD5 479342d62078aaf31881972c7574f6f2
SHA1 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256 a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA512 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

memory/3988-51-0x0000000000760000-0x0000000001237000-memory.dmp

memory/3988-59-0x0000000001270000-0x0000000001271000-memory.dmp

memory/3988-61-0x0000000001290000-0x0000000001291000-memory.dmp

memory/3988-62-0x00000000012A0000-0x00000000012A1000-memory.dmp

memory/3988-60-0x0000000001280000-0x0000000001281000-memory.dmp

memory/3988-64-0x0000000000760000-0x0000000001237000-memory.dmp

memory/3988-63-0x00000000012B0000-0x00000000012B1000-memory.dmp

memory/3988-66-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/3988-65-0x00000000012C0000-0x00000000012C1000-memory.dmp

memory/3988-68-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/3988-67-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/3988-71-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/3988-72-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/3988-70-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/3988-73-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/3988-74-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/3988-79-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/3988-78-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/3988-77-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/3988-76-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/3988-75-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/3988-80-0x0000000000760000-0x0000000001237000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\934.exe

MD5 c5b783820533a49456d95f5e348130e9
SHA1 68e9917aacd4b8e28ea2333915a926ab72e31402
SHA256 8c3f28a7d02bcc522ae19861c7bdd208fe0d60727cd9b7049249af34f25e538e
SHA512 f67dbae8c75041800e425e71ca975b9f9a6b26a3c197dca62e8cfcfe42946ded0f45d22c5c2ebe23f64f3e28627bb18e015f6c6df04ef4e14366cadcba8d39dd

memory/3988-84-0x0000000002F60000-0x0000000002F92000-memory.dmp

memory/3988-83-0x0000000002F60000-0x0000000002F92000-memory.dmp

memory/3988-82-0x0000000002FC0000-0x000000000355F000-memory.dmp

memory/3988-85-0x0000000002F60000-0x0000000002F92000-memory.dmp

memory/3988-86-0x0000000002F60000-0x0000000002F92000-memory.dmp

memory/3988-87-0x0000000000760000-0x0000000001237000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D1C.exe

MD5 c9e01ab6208b39a9f1a1253dca7e89bc
SHA1 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb
SHA256 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8
SHA512 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1

memory/1952-93-0x0000000002AB0000-0x0000000002EB3000-memory.dmp

memory/1952-94-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/1952-95-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5076-97-0x0000000074080000-0x0000000074830000-memory.dmp

memory/5076-96-0x0000000004FF0000-0x0000000005026000-memory.dmp

memory/5076-99-0x0000000005140000-0x0000000005150000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99A0.exe

MD5 cbacac5745b48fdfde1a98958e155c0a
SHA1 d2fef4507b48d5717570221147ddce5e84939a08
SHA256 835536d2bf4649a5dfddc7e24fb7dcc83396f94cf621d62ae9b42d1c1711fd98
SHA512 589e42afbbdb1bbcef64bcc3998acf2f22aacc1dfc56f3d5970c9afcebfcaa7a6d01d0d58a6b30cb0048c5ee560fd599a40a3f7858c4381ad11d55bf2c0b2cff

memory/5076-102-0x0000000005780000-0x0000000005DA8000-memory.dmp

memory/5076-101-0x0000000005140000-0x0000000005150000-memory.dmp

memory/5076-105-0x0000000005600000-0x0000000005622000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99A0.exe

MD5 6bbbd247c42458c986fdd64a975d4f37
SHA1 0ea0f242a2ea0e350209688e6637fd98bd688777
SHA256 d73ed54d3d0bcfd99c26a4f6311b1af9c980a8d79caeb88b82eefa1cff6c5de3
SHA512 52013b335a2c42b6b8237cccbcfd6588648d368fcf9f356b4bb0843e6d199c26ba731384bb3906b106781a7b6369c9e297f304efb705321d5b95e58fda08958c

memory/5076-107-0x0000000005F20000-0x0000000005F86000-memory.dmp

memory/5076-108-0x0000000005F90000-0x0000000005FF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gsbnriyv.yua.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\9CED.exe

MD5 3d3ae7c2eddea19c3146543b95cdda7e
SHA1 ea36133e7bfc1b57cd8e78a6daf24f59526ceba0
SHA256 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2
SHA512 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775

memory/5076-123-0x0000000006000000-0x0000000006354000-memory.dmp

memory/376-122-0x0000000000100000-0x000000000010A000-memory.dmp

memory/376-130-0x00007FFE62CB0000-0x00007FFE63771000-memory.dmp

memory/376-133-0x000000001AE10000-0x000000001AE20000-memory.dmp

memory/5076-140-0x00000000065F0000-0x000000000660E000-memory.dmp

memory/5076-141-0x0000000006630000-0x000000000667C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely

MD5 19bc1bbe515dee767f02d503fa9d2cff
SHA1 acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9
SHA256 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367
SHA512 fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac

memory/5076-143-0x0000000006B50000-0x0000000006B94000-memory.dmp

memory/5076-144-0x0000000005140000-0x0000000005150000-memory.dmp

memory/5076-145-0x0000000007930000-0x00000000079A6000-memory.dmp

memory/5076-146-0x0000000008030000-0x00000000086AA000-memory.dmp

memory/5076-147-0x00000000079B0000-0x00000000079CA000-memory.dmp

memory/1952-149-0x0000000002AB0000-0x0000000002EB3000-memory.dmp

memory/5076-148-0x0000000007B70000-0x0000000007BA2000-memory.dmp

memory/5076-150-0x000000007F490000-0x000000007F4A0000-memory.dmp

memory/5076-151-0x000000006F540000-0x000000006F58C000-memory.dmp

memory/5076-152-0x00000000702A0000-0x00000000705F4000-memory.dmp

memory/5076-162-0x0000000007B50000-0x0000000007B6E000-memory.dmp

memory/5076-163-0x0000000007BB0000-0x0000000007C53000-memory.dmp

memory/5076-164-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

memory/376-165-0x0000000002420000-0x0000000002432000-memory.dmp

memory/376-166-0x000000001ADA0000-0x000000001ADDC000-memory.dmp

memory/5076-167-0x0000000007D80000-0x0000000007E16000-memory.dmp

memory/5076-168-0x0000000007CE0000-0x0000000007CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here

MD5 1e7e25167c2a8f93c2d176e935b21834
SHA1 95b93372222ebde1bed0e0efec167bdda7ef04bc
SHA256 d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736
SHA512 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords

MD5 334f84837c9bcece9220e2c979503f68
SHA1 bdbdc63f1b85f72f8cf487dec6aaeb98e352c283
SHA256 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7
SHA512 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia

MD5 4e9db9155039f5a6a04e16a6a6bfe3b0
SHA1 b293c7fe05d7e92ce7d9cc6f36940eba14f5d460
SHA256 bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d
SHA512 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements

MD5 d7563558933a24bd74f0254272cf7830
SHA1 6982d08318ff2204d3714ce12d68a99b4f726fe7
SHA256 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e
SHA512 fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td

MD5 e32d058720e98d0fab73018ce1753b55
SHA1 f6b431cf3f225c3563591fbec4af922f6bff05d9
SHA256 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b
SHA512 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning

MD5 a6c58504594ab91fc0ca6102abd10e80
SHA1 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6
SHA256 b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7
SHA512 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\21719\Upgrades.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/1952-182-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1952-183-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/1592-184-0x0000000076EF1000-0x0000000077011000-memory.dmp

memory/5076-185-0x0000000007D20000-0x0000000007D2E000-memory.dmp

memory/5076-186-0x0000000007D30000-0x0000000007D44000-memory.dmp

memory/5076-187-0x0000000007E20000-0x0000000007E3A000-memory.dmp

memory/5076-188-0x0000000007D70000-0x0000000007D78000-memory.dmp

memory/5076-191-0x0000000074080000-0x0000000074830000-memory.dmp

memory/1596-194-0x0000000002A70000-0x0000000002E6E000-memory.dmp

memory/1596-195-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/376-196-0x00007FFE62CB0000-0x00007FFE63771000-memory.dmp

memory/4152-197-0x0000000074080000-0x0000000074830000-memory.dmp

memory/4152-198-0x0000000002850000-0x0000000002860000-memory.dmp

memory/4152-199-0x0000000002850000-0x0000000002860000-memory.dmp

memory/4152-209-0x00000000057A0000-0x0000000005AF4000-memory.dmp

memory/4152-210-0x0000000005D40000-0x0000000005D8C000-memory.dmp

memory/4152-211-0x0000000002850000-0x0000000002860000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/1952-232-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3df5fc52bc7cc34acb3017e4cef0dd8
SHA1 8629ea4c8328610724f782bcfba3045f07cc3f8d
SHA256 d944bdbb4f21d29cf465915c4b5fb9561d0ebed808956eb9c1adfb4bdf97d328
SHA512 7fd5908bd85073268af7c30a9aeab1d1d4e7ec278d6e1e8904f4ad14a95fe0fbba39f1ccf29a7f09d75b24198ea4f814d03931c9aff6d1faa52c04f7abf7235d

memory/1596-261-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 edef19eeacd42fb4c7c8267cec102622
SHA1 1614734f746e4545b4c79643c702bbf217606c19
SHA256 163de557926c34e81b308216f716ca8e2baac75289c356eedf04b05e497ea2b4
SHA512 f293f18812b038567ce3ef9847f28c99f14e72efb03d8a852e8f5b0abd0a926fd55ad75d8c3e1e2f812e2405c42247a91ee2523924e41c7987f7fe1905f0f151

C:\Windows\rss\csrss.exe

MD5 998891128c1f42e935af48736c2e96bf
SHA1 e797d61c94d6842e4be69500788360d69c8da896
SHA256 d84927d42c239e62a3da8a69bdf9c9b8b3c9da7d2facc031bbeea470086170f9
SHA512 51f4d08fa48e4b74d4e5d4c3bb7b5089c4891d37f769c3c2384f3652239065b3178107b4124b2d9ba5cebbf13d878e9a9c0adf9abfc76ae25fe85732221fa0d3

memory/1596-296-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1dfffb99621b2a3a1a1330668f730c18
SHA1 8f91b9512d52317fdb1c93b1e29967a5ba9c8097
SHA256 944abcd3fe150890a9a1c5ec6df44222facecb3bc602dba44b1d8b96f8d2131e
SHA512 e081da0a655605d5f7c2f598b8fc737d6bc04155200e4f110d5539abd1392619f4ef926da872377fb0f4fb5bfabe56839cac336c2f2c2e0b5427595db984c19a

memory/992-303-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cdf3dd1bb2d0ed1c7e5b0345baf8e1a0
SHA1 2d164b0de9eeb98314622009e4cc7dc42db3e008
SHA256 2e99b751c45edff6280a02a5df80ce9fc37c4bdd1d940e210169e7254e8d5384
SHA512 ad68e91fde3521dc9007dd53046bdd363a7bc2228f3e4d7aed1a0fbd6a1c272884511fb1685d1b56a4f5d52826f0880d0a4cc2eedf893f750fd347c700666694

memory/992-332-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e49f3051d850b0e734a03692d897de66
SHA1 9d1437b24766312894d7e0e2f65c711833043566
SHA256 f057d0b2e3aad5507716955a02e736c044455a497ab29853442b7cc16ea477c5
SHA512 95d1ee3b3efe5177772495a925304a23d5bb07fd1cf63dc38589e25e45452194c2c687b1eea2ff33cfd992ba048725d11c36d76620d1ecb43e241b26163f449b

memory/992-350-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1ceaafac8938e3e9b3fb723fde31f0f9
SHA1 dca316bb3bb1702b1ec25bc7759c2f4ade5e8fe6
SHA256 a3172e2bf0bc30b9411b6bd142f1599aeeea0eb31a6543a3ce63c39659b59d8c
SHA512 e389a7d73a433cd3414725f8f1bdef545a8b17788a1afac9fce7efb908b616cd7d828bd47cc411b7235a98d621e0bc339ce8eeb57fba212c2a81dd16abcbfc96