Malware Analysis Report

2024-11-30 04:52

Sample ID 240222-ted9ksce55
Target 6958ACC382E71103A0B83D20BBBB37D2.exe
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Tags
dcrat djvu glupteba smokeloader vidar 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma stealc upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Threat Level: Known bad

The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma stealc upx

Glupteba

Stealc

Djvu Ransomware

Lumma Stealer

DcRat

Windows security bypass

Glupteba payload

Detect Vidar Stealer

SmokeLoader

Vidar

Detected Djvu ransomware

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

UPX packed file

Modifies file permissions

Deletes itself

Executes dropped EXE

Windows security modification

Checks computer location settings

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Enumerates processes with tasklist

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Runs ping.exe

Suspicious behavior: MapViewOfSection

Modifies system certificate store

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 15:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 15:57

Reported

2024-02-22 16:00

Platform

win7-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a5bdfbc-fe67-4016-9470-48e4bc54a82f\\386F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\386F.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F7E.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F7E.exe = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\2a5bdfbc-fe67-4016-9470-48e4bc54a82f\\386F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\386F.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240222155939.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vbssutc N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vbssutc N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vbssutc N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\vbssutc N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\F7E.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1E04.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2640 N/A N/A C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2640 N/A N/A C:\Windows\system32\cmd.exe
PID 1208 wrote to memory of 2640 N/A N/A C:\Windows\system32\cmd.exe
PID 2640 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2640 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2640 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1208 wrote to memory of 1252 N/A N/A C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1208 wrote to memory of 1252 N/A N/A C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1208 wrote to memory of 1252 N/A N/A C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1208 wrote to memory of 1252 N/A N/A C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 1252 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2436 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Windows\SysWOW64\icacls.exe
PID 2436 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Windows\SysWOW64\icacls.exe
PID 2436 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Windows\SysWOW64\icacls.exe
PID 2436 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Windows\SysWOW64\icacls.exe
PID 2436 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2436 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2436 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2436 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2232 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\Temp\386F.exe
PID 2084 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 2084 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 2084 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 2084 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 1016 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe
PID 2084 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
PID 2084 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
PID 2084 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
PID 2084 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\386F.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe
PID 1208 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\7957.exe
PID 1208 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\7957.exe
PID 1208 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\7957.exe
PID 1208 wrote to memory of 2620 N/A N/A C:\Users\Admin\AppData\Local\Temp\7957.exe
PID 1812 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\ECB0.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\386F.exe

C:\Users\Admin\AppData\Local\Temp\386F.exe

C:\Users\Admin\AppData\Local\Temp\386F.exe

C:\Users\Admin\AppData\Local\Temp\386F.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\2a5bdfbc-fe67-4016-9470-48e4bc54a82f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\386F.exe

"C:\Users\Admin\AppData\Local\Temp\386F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\386F.exe

"C:\Users\Admin\AppData\Local\Temp\386F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe

"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe"

C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe

"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe"

C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe

"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe"

C:\Users\Admin\AppData\Local\Temp\7957.exe

C:\Users\Admin\AppData\Local\Temp\7957.exe

C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe

"C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1492 -s 1480

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\871D.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2620 -s 128

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\F7E.exe

C:\Users\Admin\AppData\Local\Temp\F7E.exe

C:\Users\Admin\AppData\Local\Temp\1952.exe

C:\Users\Admin\AppData\Local\Temp\1952.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222155939.log C:\Windows\Logs\CBS\CbsPersist_20240222155939.cab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit

C:\Users\Admin\AppData\Local\Temp\1E04.exe

C:\Users\Admin\AppData\Local\Temp\1E04.exe

C:\Users\Admin\AppData\Local\Temp\F7E.exe

"C:\Users\Admin\AppData\Local\Temp\F7E.exe"

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\cmd.exe

cmd /c md 22141

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 22141\Upgrades.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Meaning 22141\Z

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif

22141\Upgrades.pif 22141\Z

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\taskeng.exe

taskeng.exe {DBD5BF41-5DD2-4058-8F1D-F140C77CF6EC} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\vbssutc

C:\Users\Admin\AppData\Roaming\vbssutc

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
UZ 195.158.3.162:80 brusuax.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 188.114.97.2:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 188.114.97.2:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
UZ 195.158.3.162:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
MX 187.156.75.116:80 habrafa.com tcp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
MX 187.156.75.116:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 notmalware.top udp
RU 5.188.88.181:80 notmalware.top tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 188.114.96.2:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
DE 185.149.146.82:80 185.149.146.82 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 r.l1nc0in.ru udp
US 172.67.201.20:80 r.l1nc0in.ru tcp
US 8.8.8.8:53 AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 bbb87345-8c8b-493e-8abe-50d02d7f046e.uuid.localstats.org udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp

Files

memory/2768-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2768-2-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/2768-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2768-5-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1208-4-0x0000000002BC0000-0x0000000002BD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ECB0.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\386F.exe

MD5 5648348e81a70ef7ab40f963b44713f6
SHA1 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7
SHA256 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d
SHA512 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f

memory/1252-26-0x00000000008A0000-0x0000000000932000-memory.dmp

memory/1252-27-0x00000000008A0000-0x0000000000932000-memory.dmp

memory/1252-28-0x0000000002100000-0x000000000221B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\386F.exe

MD5 a18e279f98aaaa58539b477e2e3ee8e8
SHA1 0f23e9dbb4c52463407fbd03b4c81b46eeac5074
SHA256 9a710d5529063a7fb16e6c1a4fb0eabbba95f783e24bc2cd2acee997459f7084
SHA512 dadae9fe3fabd62873327a4ea728a76fc5c9dc33db716930e0cbd8e2162cd3513a58549f8b9696d82b7c190677e720f8037ce2dd193d88d02b41d00e4bc13aa4

memory/2436-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\386F.exe

MD5 4a63d28d3bd5fcb5166030842fc85b87
SHA1 4bb1c13045bb46ead5099a54f9ff6041e6e071cb
SHA256 242b5b3e89bbd10b2131dcb88cb032f70c965a616d677a8599eb57af6128b71b
SHA512 275fbc4e40e1c5718444fb77784000c00a06759b1ac53f55a15bb98b4b5ac7b4a98b48240618d99d227435b272263df93d282c75622000fdd3f5709809591afe

\Users\Admin\AppData\Local\Temp\386F.exe

MD5 245ff167651a986a8d990a9c43179389
SHA1 e94c5b646e9f6eced2d531bd6d1499918587d4d4
SHA256 d9b57420bc9140b61ac48579564a446df435e912d3838509702014c0db775f56
SHA512 583b91ba6ea719f803ec669fdb635999d742528d76f83dde8a2006483d12f118db97e06a9d93050d467cbcbaf90a9fca03d90844740a9f8b633abee4ddc4d1fd

memory/2436-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2436-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2232-60-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2232-61-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2084-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 8cfc4b11c6c1a77c77a8b92e2e245606
SHA1 ce72cc4b26895883e361b181d7d128a2a4dc959a
SHA256 98fe25f849beb04c2398908cf94ddd32fe1fba8758509bf39784614e2e205ee8
SHA512 2ba0f69cfe43c74daca270898cd6ef388ba6bffd090f5be0299524e6baf6d3649f44619af405ee975847eb199db4e3d4041947be9385c309d1940c1628854f5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d32350d7b7e01589827debfe8147a629
SHA1 4277846e13488f6fe127c0f061448d8b15e425bd
SHA256 da5e416d313099491f937a03edab205c087f327fb7a34cd443d3cb229877f474
SHA512 04b149d07501838336d36bf0edbde5ab05e01f4fffcdec431cadcb8d47d74600fc23ba7e16df69a9761071a211215a3536af8bb67809e9a6e259c2dc9dfff990

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 04e1c0fb7c50efaf86ba32ac99af0cd4
SHA1 844aeeaba2b3c0a23a3f3580ee9eafde8eee9aa0
SHA256 59cd12f0b76ce31550e9068fed1da5c917f8b4361ef4f3c62c9522473162705a
SHA512 3394f7025fe90250bc8ae1caeba12ec23019a31c1762e5ab757cd874ff33160b1596be9bb079b5641b7476c306c8ebd520fab5f00a0dca06372c67387f21ce40

C:\Users\Admin\AppData\Local\Temp\Cab4AA7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14bf68be70d3243a2d6e8c6fa0279a88
SHA1 0dda267957e48ba89498940f6550ce2c656f4278
SHA256 c487946caf8e7dcd03d2f5d252df4c460ea770660ad1fbffb390aa1e6c7e5a4e
SHA512 4ed1304a27c6d9f181094eee40c3f73c072ab2fa2db8cfb2ad8cb875f74404bc841bfb6a8d28483e28e64aecf25004dd9f3615414673a5122345bae354dbd557

memory/2084-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-90-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build2.exe

MD5 c6d3d647baad8a5b93b81d2487f4f072
SHA1 e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA256 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA512 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

memory/1016-105-0x0000000000260000-0x0000000000360000-memory.dmp

memory/1492-104-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1016-107-0x0000000001B90000-0x0000000001BC6000-memory.dmp

memory/1492-108-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1492-111-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2084-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1492-112-0x0000000000400000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar66C0.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2084-131-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7957.exe

MD5 a09dfad823cdcbf527bf15aa92769422
SHA1 9f1b89154dd4f023c5ab8285a1c7ca628e6a06a7
SHA256 cd70d31ef5300bdbc9729cd80af1082a1fd089babaf9aa96947d05788749bae9
SHA512 e5439ce485bdd19ce084d8c3fd698466a4b0b3ab581b98e83cbcf47c9bf2544d01315244fb9f68d080a80f6709198f86bfc7ddbcd4fe8c00134e182c2b093118

memory/2620-251-0x0000000000310000-0x0000000000DE7000-memory.dmp

memory/1812-256-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2660-259-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1812-255-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/2660-265-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\64a48ac9-8419-4191-9713-6f43dfb33641\build3.exe

MD5 5c883ef6d1ad03173f30db4fc691d0a7
SHA1 4007444885a94ad3092e287a196249bc6c1301ef
SHA256 b1e0b896d1cdbe0cfe16d1d6f604640e2b22aeb144eb411086fa31d2073f316e
SHA512 125b18de452ee08cc42806f15864bb5429403ca696e385d5fb32d87cde841629e12f0d64c308c8ff7444d36c5da71e75fdc66733418bc886cad6a6e9ba7eb816

memory/2660-266-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2660-262-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2620-268-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2620-271-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2620-273-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2620-270-0x0000000000310000-0x0000000000DE7000-memory.dmp

memory/2620-274-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2620-275-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-277-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2620-279-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2620-284-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2620-282-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2620-280-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2620-285-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2620-287-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2620-289-0x00000000000B0000-0x00000000000B1000-memory.dmp

memory/2620-290-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2620-291-0x00000000775B0000-0x00000000775B1000-memory.dmp

memory/2620-293-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2620-296-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-298-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-308-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/1492-322-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2620-323-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-328-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-333-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-339-0x00000000775B0000-0x00000000775B1000-memory.dmp

memory/2620-350-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-363-0x0000000000310000-0x0000000000DE7000-memory.dmp

memory/2620-364-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-377-0x00000000775AF000-0x00000000775B0000-memory.dmp

memory/2620-379-0x0000000000E20000-0x0000000000E21000-memory.dmp

\Users\Admin\AppData\Local\Temp\7957.exe

MD5 be294f38a21d9b4e6eb144e06162d299
SHA1 4c5537aaa32228fcba8bbcfc02dc4f54112e3b9c
SHA256 a7e580ad02ed67ddbcb3f8b10262cee44b6054f96a535040f5b13b2f0f768ef6
SHA512 60dd6c734d632d55ca0d2f0f9baace25e497741f35f009877b426d39f3dffbebb28293ce89be7690be555161179499be38c76c44f875c277b6d388a1aaf3bec3

\Users\Admin\AppData\Local\Temp\7957.exe

MD5 6412f45985f8316102d85f3b4fa87d94
SHA1 d58e122e555c2af2dc381a3f270a2441473ef663
SHA256 d550f5297471b5413a587e5e9fa8875c5d7f79f278113db3c3f14c92697d060a
SHA512 884ee423f2200fe9d5ad2926e2e01238928a301b311e97921973ba123cc095401c0105644279b74711a662bc064bbddd67bcb77ad95cdbc66f271e573eec2303

\Users\Admin\AppData\Local\Temp\7957.exe

MD5 f070aab842aa4396e14585d8c283eb0b
SHA1 1ff3c1de51843c1eb4b0b2472cfe7103f1de9e66
SHA256 f8a591aa7b4c0300111159db515193bfa7ba091f105c8ee3ee00b06dd08f8f93
SHA512 0cc3f133a280cff38c8be6c0b09ca06635891f3571c2730bf7ce0995fedb4169219ece8a3936ad2db126862caf43ca790d5f8760f2eb4b199302180defb18583

\Users\Admin\AppData\Local\Temp\7957.exe

MD5 dc316c79793f2940cb2d0b2a3d34d906
SHA1 1e1219d3bd665b04628a681a73713dbdec328700
SHA256 9b6b57ff04e1108412bc31dc24b8ac0b3a6835422b2c0eb51aac85e2e2894734
SHA512 7edb26fbf62549c9fac4285488c032377e93c92f7fc20a968451e2aa99865d5b7b6a60f6486457ae9c13a815cfcd177e53016173a3bad3f8a5cf11e8b31426f0

\Users\Admin\AppData\Local\Temp\7957.exe

MD5 0a5cbcde409f211f0a74b20899c93642
SHA1 cb40f721df063ecfd2310453171d97fee4d3041b
SHA256 14877cc7f69e4b1833530f36c9bd7ba02774ba8b3dfa09efd048e4e6f6c0dd2f
SHA512 307bd91e52d1680ccad9df593e71ac20326c90603ff8d0f35c83b87bd8b0615d561a892464b67e911a8e4a45fe2a0c5663affeca66d86cc307e746be8126a218

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44d4b2b3554d34a4de4bfd1f449d3bc1
SHA1 5f3d051a16867f1a31f9d04710e00bb89588d097
SHA256 8a03e16d05baf7300a5f166f383061704c77118d0ed2e989deec1a13efc175c4
SHA512 c7a8ad27681d18d6db627444ac8f3578c44338cd735df829870e4d7584d9a84e0217b1265ea0b363f7885207f711f6c1c6f133204536cb312e1c54d11b187d19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9db2d9ac6d0e8bbf47f330d1ab3183d
SHA1 336a815cd0a4643bcc9069d1f56195fced2792b3
SHA256 390680d9df9bc9e05a26d48511ca2d9738b0513ddd10f17ab1a2b92467352ddc
SHA512 941dc02aee8aa12a5d6693760f8f8e41219478a0c1843c2554ee6214e81f86998db927698aef7e971f991a50771b8fdb0112af25a00036540fb1f9f2b10aae42

C:\Users\Admin\AppData\Local\Temp\F7E.exe

MD5 c9e01ab6208b39a9f1a1253dca7e89bc
SHA1 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb
SHA256 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8
SHA512 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1

memory/2044-480-0x0000000002890000-0x0000000002C88000-memory.dmp

memory/2044-481-0x0000000002C90000-0x000000000357B000-memory.dmp

memory/2044-482-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7E.exe

MD5 887ab8d1e93ef061e6c8bb9b7d69d609
SHA1 f44a86d92f94d84ab35fd3edae2e194efc498744
SHA256 b3fecd566bd0518e95513607278b57afe6b79ce50b3b37966ec8d7f6e33a5f7d
SHA512 d497ef963069d7bacbc6ed85eb95c3b89e346f04751b9d006fb224c4d3bfc64609ddb19081404e70da9adf8a62b4b7cebed0042abd466f5ecc5dbb468a5287a5

C:\Users\Admin\AppData\Local\Temp\1952.exe

MD5 0f81629bc70111f74fba07ec424cdfd4
SHA1 827ce84d850e15dfd34aadbc82bccac6199c219a
SHA256 1c6276dab0189565566a3ddb34b6e965e90be730005fcfe4eb1679f4b5710d37
SHA512 8d66b9dc5afd1e7ab77079d123c5d44a7991a75c46890dc7800667639cfa1e1ca81f2fcf0886b2c2bc109e3c22703a18bb7322e7b6d29b37ddaa8e1a0d01b713

C:\Users\Admin\AppData\Local\Temp\1952.exe

MD5 790388875e58943ba5d1784587db5b66
SHA1 f089904c843d22f19e5b4e596befb88bd3041fff
SHA256 e050b2db6fd3b51463bb2d65fb32f96b2fdaa042c7067e9257352a935807035b
SHA512 3dcb1bec490ec59447943ea1c505b317a9468d99b2c6b82c676f99d073f2460f0ae78f0bfef1302f966dfbab13fef116b9b2a6494408f353bf8542e7ce7eb54f

C:\Users\Admin\AppData\Local\Temp\1E04.exe

MD5 3d3ae7c2eddea19c3146543b95cdda7e
SHA1 ea36133e7bfc1b57cd8e78a6daf24f59526ceba0
SHA256 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2
SHA512 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely

MD5 19bc1bbe515dee767f02d503fa9d2cff
SHA1 acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9
SHA256 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367
SHA512 fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac

memory/2592-509-0x0000000001150000-0x000000000115A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7E.exe

MD5 51824fe4775131e620f669195052f140
SHA1 fc4f80342fd1e26fed2a05bfb32ea4592b68a452
SHA256 e1fe1724035c6f4a0621c70dd2172c3621ee11294b9993d2bf67180f9dbfdb63
SHA512 a5b5bc48f577a0b51e7f5bd852c7290b61e5a2a26049a3c929203322c8b2da33f6db5f513df6523965342ac61882e2a94050436e70907c9c570b537d4443a307

memory/2592-512-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

memory/2044-513-0x0000000002890000-0x0000000002C88000-memory.dmp

memory/2044-514-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2044-515-0x0000000002C90000-0x000000000357B000-memory.dmp

memory/1808-517-0x0000000002610000-0x0000000002A08000-memory.dmp

memory/2592-518-0x0000000000150000-0x00000000001D0000-memory.dmp

memory/1808-519-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia

MD5 4e9db9155039f5a6a04e16a6a6bfe3b0
SHA1 b293c7fe05d7e92ce7d9cc6f36940eba14f5d460
SHA256 bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d
SHA512 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning

MD5 a6c58504594ab91fc0ca6102abd10e80
SHA1 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6
SHA256 b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7
SHA512 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements

MD5 d7563558933a24bd74f0254272cf7830
SHA1 6982d08318ff2204d3714ce12d68a99b4f726fe7
SHA256 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e
SHA512 fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords

MD5 334f84837c9bcece9220e2c979503f68
SHA1 bdbdc63f1b85f72f8cf487dec6aaeb98e352c283
SHA256 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7
SHA512 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td

MD5 e32d058720e98d0fab73018ce1753b55
SHA1 f6b431cf3f225c3563591fbec4af922f6bff05d9
SHA256 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b
SHA512 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here

MD5 1e7e25167c2a8f93c2d176e935b21834
SHA1 95b93372222ebde1bed0e0efec167bdda7ef04bc
SHA256 d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736
SHA512 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22141\Upgrades.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/2744-533-0x00000000775A0000-0x0000000077676000-memory.dmp

\Windows\rss\csrss.exe

MD5 ae231696f3881fbad392e099078f223f
SHA1 97d4fd4c453ff0545fb14338c122fb67686cb8de
SHA256 19464fa457d109161bc4f7dca82d33b62d2dab2894900f074e44192638e7353b
SHA512 2805db3c3a1e0af99f3efce395f9a59922a7580b5c889c92c31739d06fc5a05c76b6076f42056b0199b65299aec5930d45211a126f5a9213b7f98c2982edb1d7

\Windows\rss\csrss.exe

MD5 ec49db40704b62847fe17043f0c4d523
SHA1 781aa33cb6352381dfef0412fcbe9610d0b668dc
SHA256 617333a54f23391c90cd5ed9ccdb254750a2002a67836f99c1c43d9739ae7c4f
SHA512 f5f881faacc0aa4f27c7ecedd9d2f03908be13a54574282f3f7b10a890c7f9b2b8e75b85012edd821750a7e889a5bf4850f5c65cc320a1848c422f9210fa79a3

C:\Windows\rss\csrss.exe

MD5 930b4cc39b36524b6ab351b7dc64d7d7
SHA1 5fe06023c97aa952a0e68f99d826f7e91b425e1e
SHA256 2fc86747e3b006c2f3e79d73eba67c4d7349d78a14a3cf0c875256278cea418a
SHA512 bffb8dd35d1adf88fe4d9534d40ebeec1d36f55337887b6960904c252d9da550cada47d372eda44961218926fc8aa530946cf1802dd0b832337359a905c3c1f1

memory/1808-546-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1800-550-0x0000000002A40000-0x000000000332B000-memory.dmp

memory/1800-549-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/1800-551-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f80e509cc96d8724a591774c0239a57f
SHA1 59281be9066e091e08551230cb967a5242e60ac3
SHA256 17c24ffd867bc11c5990ac44c49ae2cc3341279bfb4f80c8a32c26184f557b88
SHA512 9259e093bfde6a725764efdcb8aa57f9f4a0b9de89f654f8af243552ca64450ea72483f12fec9f047a90f3fefb19415d647bf3fc5304f972e6d31e60f27ec903

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/1396-558-0x00000000004A0000-0x0000000000A88000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 c41c3be9c15587a82952179c1c4467e3
SHA1 4015bd6d980e260c3bf759c37ef1463fd4d88bc2
SHA256 ab3ca69ff0282d028f4b8460e921d37553e98ebf12c6a9f8c6741875d889e9d3
SHA512 17c69a1d66c53d82036806e82fe849570052853839eeefde1f9cb4ec5e3628ed7dc3d06d453b9f35fd7cf51abb8006c78322841ad37829d6b87638fc7060f4a5

memory/1396-569-0x0000000000620000-0x0000000000C08000-memory.dmp

memory/2592-588-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

memory/2456-630-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/2456-631-0x0000000000400000-0x000000000044A000-memory.dmp

memory/2592-645-0x0000000000150000-0x00000000001D0000-memory.dmp

memory/2456-649-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1800-656-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/788-657-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/1396-663-0x00000000004A0000-0x0000000000A88000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 15:57

Reported

2024-02-22 16:00

Platform

win10v2004-20240221-en

Max time kernel

122s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a8e0840e-b118-40a3-b971-b20f5d38d0bf\\BF98.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\BF98.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BF98.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A5C6.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a8e0840e-b118-40a3-b971-b20f5d38d0bf\\BF98.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\BF98.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive N/A N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4568 set thread context of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 set thread context of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9847.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9847.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rjfavwt N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rjfavwt N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rjfavwt N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs N/A N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9847.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\A809.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9847.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 4480 N/A N/A C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 4480 N/A N/A C:\Windows\system32\cmd.exe
PID 4480 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4480 wrote to memory of 3876 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3256 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3256 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3256 wrote to memory of 4568 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 4568 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 2484 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Windows\SysWOW64\icacls.exe
PID 2484 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 2484 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 2484 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3600 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\BF98.exe C:\Users\Admin\AppData\Local\Temp\BF98.exe
PID 3256 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A8.exe
PID 3256 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A8.exe
PID 3256 wrote to memory of 2220 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A8.exe
PID 3256 wrote to memory of 2872 N/A N/A C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 2872 N/A N/A C:\Windows\system32\cmd.exe
PID 2872 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2872 wrote to memory of 1692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3256 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\Temp\9847.exe
PID 3256 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\Temp\9847.exe
PID 3256 wrote to memory of 5080 N/A N/A C:\Users\Admin\AppData\Local\Temp\9847.exe
PID 5080 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\9847.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\9847.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5080 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\9847.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5C6.exe
PID 3256 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5C6.exe
PID 3256 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5C6.exe
PID 3256 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\A809.exe
PID 3256 wrote to memory of 1040 N/A N/A C:\Users\Admin\AppData\Local\Temp\A809.exe
PID 4960 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\A5C6.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\A5C6.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\A5C6.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 536 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 536 wrote to memory of 3896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 536 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 536 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 536 wrote to memory of 3572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 536 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 536 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 536 wrote to memory of 5100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 536 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A96F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\BF98.exe

C:\Users\Admin\AppData\Local\Temp\BF98.exe

C:\Users\Admin\AppData\Local\Temp\BF98.exe

C:\Users\Admin\AppData\Local\Temp\BF98.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a8e0840e-b118-40a3-b971-b20f5d38d0bf" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\BF98.exe

"C:\Users\Admin\AppData\Local\Temp\BF98.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\BF98.exe

"C:\Users\Admin\AppData\Local\Temp\BF98.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 568

C:\Users\Admin\AppData\Local\Temp\8A8.exe

C:\Users\Admin\AppData\Local\Temp\8A8.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CCF.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\9847.exe

C:\Users\Admin\AppData\Local\Temp\9847.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\A5C6.exe

C:\Users\Admin\AppData\Local\Temp\A5C6.exe

C:\Users\Admin\AppData\Local\Temp\A809.exe

C:\Users\Admin\AppData\Local\Temp\A809.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Unlikely Unlikely.bat & Unlikely.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\cmd.exe

cmd /c md 22108

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Here + Td + Passwords + Movements + Cambodia 22108\Upgrades.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Meaning 22108\Z

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif

22108\Upgrades.pif 22108\Z

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\9847.exe

"C:\Users\Admin\AppData\Local\Temp\9847.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\rjfavwt

C:\Users\Admin\AppData\Roaming\rjfavwt

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 182.126.12.185.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 123.140.161.243:80 brusuax.com tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 notmalware.top udp
RU 5.188.88.181:80 notmalware.top tcp
US 8.8.8.8:53 181.88.188.5.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 188.114.97.2:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
DE 185.149.146.82:80 185.149.146.82 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 82.146.149.185.in-addr.arpa udp
US 8.8.8.8:53 r.l1nc0in.ru udp
US 172.67.201.20:80 r.l1nc0in.ru tcp
US 8.8.8.8:53 20.201.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 AKDHTrZGmMfGSiQC.AKDHTrZGmMfGSiQC udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 9cc8562d-cb5d-409f-b442-48ae4fc108f6.uuid.localstats.org udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 server8.localstats.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.111:443 server8.localstats.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.2:443 walkinglate.com tcp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 111.216.82.185.in-addr.arpa udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
TR 94.156.8.100:80 tcp
BG 185.82.216.111:443 server8.localstats.org tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp
US 129.153.86.0:8778 tcp

Files

memory/764-1-0x00000000007B0000-0x00000000008B0000-memory.dmp

memory/764-2-0x00000000006F0000-0x00000000006FB000-memory.dmp

memory/764-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3256-4-0x00000000026A0000-0x00000000026B6000-memory.dmp

memory/764-5-0x0000000000400000-0x000000000044A000-memory.dmp

memory/764-8-0x00000000006F0000-0x00000000006FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A96F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\BF98.exe

MD5 5648348e81a70ef7ab40f963b44713f6
SHA1 3e2d708a95de8e53ba4a6b9359cc0cc6dfcddea7
SHA256 4bf966f6dd9cb739b073a8bc48f521eb9c35b4f050e799be6eac795fe615263d
SHA512 899d833a1a43ca6160bfb89775c83a049afaa0e3e8cf48dde112f7de351d307fd194c97ffe3ab0c2e86fc7bb75ed3b3d53b0d95ea1fa80252020153ca4813a8f

memory/4568-21-0x0000000002560000-0x00000000025FA000-memory.dmp

memory/4568-22-0x0000000002600000-0x000000000271B000-memory.dmp

memory/2484-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2484-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2484-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2484-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2484-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3600-40-0x0000000002420000-0x00000000024B8000-memory.dmp

memory/4696-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4696-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4696-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A8.exe

MD5 479342d62078aaf31881972c7574f6f2
SHA1 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256 a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA512 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

memory/2220-52-0x0000000000620000-0x00000000010F7000-memory.dmp

memory/2220-61-0x0000000000620000-0x00000000010F7000-memory.dmp

memory/2220-60-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/2220-62-0x00000000011E0000-0x00000000011E1000-memory.dmp

memory/2220-63-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/2220-65-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/2220-67-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/2220-66-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/2220-69-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/2220-68-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/2220-64-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/2220-71-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/2220-72-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/2220-73-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/2220-74-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/2220-76-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/2220-75-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/2220-77-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/2220-78-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/2220-79-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/2220-80-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/2220-81-0x0000000000620000-0x00000000010F7000-memory.dmp

memory/2220-83-0x0000000003070000-0x000000000360C000-memory.dmp

memory/2220-85-0x0000000002F80000-0x0000000002FB2000-memory.dmp

memory/2220-87-0x0000000002F80000-0x0000000002FB2000-memory.dmp

memory/2220-86-0x0000000002F80000-0x0000000002FB2000-memory.dmp

memory/2220-84-0x0000000002F80000-0x0000000002FB2000-memory.dmp

memory/2220-88-0x0000000000620000-0x00000000010F7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9847.exe

MD5 c9e01ab6208b39a9f1a1253dca7e89bc
SHA1 5bcba5cc0dc560772f8026cb6dd4f236acbfd8bb
SHA256 0e1ccfee9b80ca2c36a53cc104ef5e8d3a702dabbcc1daafecca2a7f7db043b8
SHA512 4cacf3f7794a8e06ca2da7aaa0bef37009206fde58a5d5ce4326ef84addd7bdbfd7477b437ac6a72fa31023c17e9a7f7079bb0e97ff772d880d090bbb96d1da1

memory/5080-94-0x0000000002A10000-0x0000000002E18000-memory.dmp

memory/5080-95-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/5080-96-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5C6.exe

MD5 50be07c44e47d88cd9d5b8462d4bc011
SHA1 fdb3e7e5f46b7660cf0c2282fa941009781df627
SHA256 5421065755f7a312ade0466963918c685f8de366c13247b2867a7fd3917d696d
SHA512 f40b6563c3efa7652cafabaeb93bea4c2338afb03dacf655a0105d2e8b96910a47d1cb756bff410389703ecce464cd55d3bd9884365edf5bd6fa561ef9e0af25

C:\Users\Admin\AppData\Local\Temp\A5C6.exe

MD5 ece62c9a4225735bbd34f8b0bc797acf
SHA1 e354f308248dd81939ffc0b1bd756cbc758eae13
SHA256 19ff68076a9879f0b78ed86818b6a4886527e71f8c5dcd1a6bfd9a6b394ffe6a
SHA512 8113f871fab27614b9f9ed5f32c31312b34754c4e047e74eed958edd9d0e917c7f685d9b9c37379e3f273ce7fa98f660e3c655ee301a9ccbca34b372b96c6b0d

memory/3480-101-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/3480-104-0x0000000005470000-0x0000000005480000-memory.dmp

memory/3480-103-0x00000000032F0000-0x0000000003326000-memory.dmp

memory/3480-106-0x0000000005AB0000-0x00000000060D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A809.exe

MD5 3d3ae7c2eddea19c3146543b95cdda7e
SHA1 ea36133e7bfc1b57cd8e78a6daf24f59526ceba0
SHA256 1f2a148765b1ef3247ca4312ea8d1460673744448ebd4559377eabd1ca1702f2
SHA512 2ee471f0e0423610dbac9f9d472d529d0b9da22f7ca45ae973a80080920f9ac04342051ad16858918ac4bbab48068b16d78d4d177b8a029c21dde509e333c775

memory/1040-110-0x0000000000440000-0x000000000044A000-memory.dmp

memory/1040-125-0x00007FF9A2590000-0x00007FF9A3051000-memory.dmp

memory/3480-126-0x0000000005910000-0x0000000005932000-memory.dmp

memory/1040-127-0x000000001B070000-0x000000001B080000-memory.dmp

memory/3480-128-0x00000000061E0000-0x0000000006246000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2ymgg1wq.hjs.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3480-129-0x00000000062C0000-0x0000000006326000-memory.dmp

memory/3480-139-0x0000000006430000-0x0000000006784000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Unlikely

MD5 19bc1bbe515dee767f02d503fa9d2cff
SHA1 acc900deea8e8eff4e1bda1ac2c89aa70ef0e7f9
SHA256 51ad4dc19fa436ac00a8b019da9ca49f30dcfe31d9aee0aabbb037fd10bca367
SHA512 fd0b3d6a867d8c7923d1166f546d4e14db0209df8d13dc46e9d08578ee78d4fc8739638e01f456f542cc383a2d086ed600931a8e889dcb1c4eb93d3cfe3a3dac

memory/3480-141-0x0000000005630000-0x000000000564E000-memory.dmp

memory/3480-142-0x0000000006940000-0x000000000698C000-memory.dmp

memory/3480-143-0x0000000006E60000-0x0000000006EA4000-memory.dmp

memory/3480-144-0x0000000005470000-0x0000000005480000-memory.dmp

memory/3480-145-0x0000000007A20000-0x0000000007A96000-memory.dmp

memory/3480-146-0x0000000008120000-0x000000000879A000-memory.dmp

memory/3480-147-0x0000000007AC0000-0x0000000007ADA000-memory.dmp

memory/3480-148-0x000000007F500000-0x000000007F510000-memory.dmp

memory/3480-149-0x0000000007E80000-0x0000000007EB2000-memory.dmp

memory/3480-150-0x000000006F4D0000-0x000000006F51C000-memory.dmp

memory/3480-151-0x000000006F640000-0x000000006F994000-memory.dmp

memory/3480-161-0x0000000007E60000-0x0000000007E7E000-memory.dmp

memory/3480-162-0x0000000007EC0000-0x0000000007F63000-memory.dmp

memory/3480-163-0x0000000007FB0000-0x0000000007FBA000-memory.dmp

memory/1040-165-0x000000001C500000-0x000000001C53C000-memory.dmp

memory/1040-164-0x0000000002550000-0x0000000002562000-memory.dmp

memory/3480-166-0x0000000008070000-0x0000000008106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Here

MD5 1e7e25167c2a8f93c2d176e935b21834
SHA1 95b93372222ebde1bed0e0efec167bdda7ef04bc
SHA256 d022378a9b3074cf3fb5ea080588846c0aaadb2112cfd5554a0068e76cdd5736
SHA512 503f7b6797182ed5f1ef42d3b52b2815e140ebed505fc9b81ee8f920e49c36f379881c1a51afb4b398c9577a583155a0d2c66ca6cdaf303ac9538746571efdb1

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Cambodia

MD5 4e9db9155039f5a6a04e16a6a6bfe3b0
SHA1 b293c7fe05d7e92ce7d9cc6f36940eba14f5d460
SHA256 bd3cd1801a2c226c63186f6fe3182fff1847609c5d99ca22209c7e9dbdd3db2d
SHA512 8692e29ec7717ddad30ea365bd4408a178f1d3ff7f7c3535f8ba1545ffdcfe78ae108259d4feb81b1ca819eedf4ef79531103512d29f7fd0fd8146beb14e854a

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Movements

MD5 d7563558933a24bd74f0254272cf7830
SHA1 6982d08318ff2204d3714ce12d68a99b4f726fe7
SHA256 1b11dc628b44a4982b7b13891fae62471a380eb2973af359655cf65254ac5a7e
SHA512 fccdc060fd5ddd9b3892f82c343dcd80fdbc1bc24a24c50e9f86a1d917867c2b4189a3d4d6762daf8e9c719b999988a0d568f481c09802c5168010c490fdfcb5

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Passwords

MD5 334f84837c9bcece9220e2c979503f68
SHA1 bdbdc63f1b85f72f8cf487dec6aaeb98e352c283
SHA256 10dfb698a8c05eff79092b546608c15e7df803d4aa759090509da6d5d96373d7
SHA512 37c3315a16d9f0e8ab044415a61220e2fa180e6f70f85435de7ccd7d1dcde84a0c13d48f670204e02ba7cfbe892a76f2efa979717b6b2b844a15aea0a845dcbb

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Td

MD5 e32d058720e98d0fab73018ce1753b55
SHA1 f6b431cf3f225c3563591fbec4af922f6bff05d9
SHA256 1cf7bcef592ee857c079e82d39a1c371868597ee1c33e692556d780b5040b83b
SHA512 8f259f0f2eccbe01dc4efe5d4ad34a94dcb0b97f20c3f36c6b7e6c24c14a73fbb6aeefc11e76142cdba83f9bf1dd4d0647bcd1ad2d3a6780e063c48d872caa11

memory/3480-173-0x0000000007FD0000-0x0000000007FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Meaning

MD5 a6c58504594ab91fc0ca6102abd10e80
SHA1 03edc02d3806aa46d5e4c3c1aa8b6cff1b5c80f6
SHA256 b07a3cb7f4af841db56d43b6d8d35aea563993b8e0ec6d921eab372f637260f7
SHA512 07d68c06afc66c71b04da74d387536cd800f7dcda422f4b67dbff60ba2b883fa360e9292190655448fc130d1ebbeb31af828ee1ba279f904b2a7e556dbb8f1ea

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\22108\Upgrades.pif

MD5 848164d084384c49937f99d5b894253e
SHA1 3055ef803eeec4f175ebf120f94125717ee12444
SHA256 f58d3a4b2f3f7f10815c24586fae91964eeed830369e7e0701b43895b0cefbd3
SHA512 aabe1cf076f48f32542f49a92e4ca9f054b31d5a9949119991b897b9489fe775d8009896408ba49ac43ec431c87c0d385daead9dbbde7ef6309b0c97bbaf852a

memory/5080-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5080-182-0x0000000002A10000-0x0000000002E18000-memory.dmp

memory/5080-183-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/4040-184-0x0000000076E91000-0x0000000076FB1000-memory.dmp

memory/3480-185-0x0000000008030000-0x000000000803E000-memory.dmp

memory/3480-186-0x0000000008040000-0x0000000008054000-memory.dmp

memory/3480-187-0x00000000087C0000-0x00000000087DA000-memory.dmp

memory/3480-188-0x00000000087A0000-0x00000000087A8000-memory.dmp

memory/3480-191-0x0000000074020000-0x00000000747D0000-memory.dmp

memory/5080-193-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3340-195-0x0000000002B30000-0x0000000002F2E000-memory.dmp

memory/3340-196-0x0000000002F30000-0x000000000381B000-memory.dmp

memory/3340-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1040-198-0x00007FF9A2590000-0x00007FF9A3051000-memory.dmp

memory/4084-199-0x00000000740E0000-0x0000000074890000-memory.dmp

memory/4084-200-0x00000000047B0000-0x00000000047C0000-memory.dmp

memory/4084-201-0x00000000047B0000-0x00000000047C0000-memory.dmp

memory/4084-207-0x0000000005550000-0x00000000058A4000-memory.dmp

memory/4084-212-0x0000000006150000-0x000000000619C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 da81748d347711407a31e7ea5fef66dc
SHA1 1f0a4a7b9d8892fa34a7569ce323183d564fbea3
SHA256 cd1f7873de189b7c34e7b2e407d8b268ed0ead2a6a65ce5a145413a1f8804111
SHA512 985d2b955a2e2021af859b71610f9edd5e3928775b7d23414168bde45690e16d4890b1dde0691b46e2a9cc57a4014dab790098926e1c3ef16ca1eb8b0c0d1516

memory/3340-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d8d1797059f662603821d6a51032a0b4
SHA1 da78a56bfd5c5b5a8dbeb70035c8dcd72f973779
SHA256 bff9fa28def49691f88fb266a22a78aec9b843ddc71fbf11717a5738b4cdb86d
SHA512 5bbae5d8bbbc0c59ca117c498f127eb5df7c40872938471adabfdc54cecc9c3d5096f63c79ca7caf1318a401bd0d4bf80fbc84fcc5af7733fa65269f52668822

memory/3340-293-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8a783818152b8ca1b50a7ffe53c1a906
SHA1 79fa580d6e772f76c856e07e8c748314c1e27926
SHA256 26d3adf7093d808ba85a9a26182488fcb11e721594a159ad26be1b2790df55e5
SHA512 f821b31dd01c66e24229885783e20b1c74a167a261baaadf9a85c3f83ec1bd187019bee97a8d63063e67a17a92d145a5126fccc39548a2d4144d8f75d232da85

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9d25225958b4aa7dee7fd90644821309
SHA1 588edfafac9e69757867d4c37749c1cb8ce8a5a8
SHA256 36f08cb16f7cbcb6ddfdd049983c54e195756c32717c641cf3ea1faa339dcb15
SHA512 1ba68a164746d83b830c94fa133f4074a3e0b7f3e841beede380ec8a0f3f3cba678fad080e8c28d4a1324798f8191d84f4565ca58b6b2b41d4b5f57d4eca401a

C:\Users\Admin\AppData\Roaming\rjfavwt

MD5 6958acc382e71103a0b83d20bbbb37d2
SHA1 65bf64dfcabf7bc83e47ffc4360cda022d4dab34
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
SHA512 ebfa8b6986630b3502409d38cdff54881e4bce48511c7ba4f027345296c29708112c19ec6c9181c4b0188fa1f5cbe17b3c5d44dc07f33858323c677ef9caaeae

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b4901204e06572a0563ed0a8893c1dc5
SHA1 d488d30d7fb96b4b9a96cdf2f5b5d6599a6eb50a
SHA256 bae5e8b8ee49f6557570ff871d5d1cd4ca26629ba2efca4fd9f3960d74789159
SHA512 7cd07b3db4741689889508cfe855c2a1107e39567822712001cbe69c6db719b3b427641cbf80568e835b8b6b2d9f2290435e077537700ef8c068981a7e3f7694

memory/3256-393-0x00000000007A0000-0x00000000007B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2880-398-0x0000000000400000-0x000000000044A000-memory.dmp

memory/4092-400-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4092-401-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4040-403-0x0000000004F20000-0x0000000005167000-memory.dmp

memory/4040-404-0x0000000004F20000-0x0000000005167000-memory.dmp

memory/4040-405-0x0000000004F20000-0x0000000005167000-memory.dmp

memory/4040-406-0x0000000004F20000-0x0000000005167000-memory.dmp

memory/4040-407-0x0000000004F20000-0x0000000005167000-memory.dmp

memory/4092-410-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec