Malware Analysis Report

2024-11-30 04:50

Sample ID 240223-aqsrkahd35
Target 6958ACC382E71103A0B83D20BBBB37D2.exe
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Tags
dcrat djvu glupteba rhadamanthys smokeloader vidar zgrat 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Threat Level: Known bad

The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba rhadamanthys smokeloader vidar zgrat 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer themida trojan upx

Rhadamanthys

Detect Vidar Stealer

Djvu Ransomware

SmokeLoader

Glupteba payload

ZGRat

Suspicious use of NtCreateUserProcessOtherParentProcess

Detected Djvu ransomware

Vidar

DcRat

Detect ZGRat V1

Glupteba

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Checks BIOS information in registry

UPX packed file

Deletes itself

Themida packer

Checks whether UAC is enabled

Manipulates WinMonFS driver.

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 00:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 00:25

Reported

2024-02-23 00:29

Platform

win11-20240221-en

Max time kernel

246s

Max time network

232s

Command Line

sihost.exe

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\edb669ba-ea5c-4aa4-94ed-7c13816fff31\\A876.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A876.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1548 created 2952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\system32\sihost.exe

Vidar

stealer vidar

ZGRat

rat zgrat

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse\Performance C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService\Performance C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF\Performance C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo\Performance C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest\Performance C:\Windows\System32\Taskmgr.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\BF2B.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\BF2B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\BF2B.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF2B.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E16A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\810.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\810.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5314.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5314.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\edb669ba-ea5c-4aa4-94ed-7c13816fff31\\A876.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\A876.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\BF2B.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BF2B.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\810.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification \??\c:\windows\windefender.exe C:\Windows\System32\Taskmgr.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\810.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\810.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\System32\Taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\System32\Taskmgr.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\Taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\System32\Taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\TypedURLs C:\Windows\System32\Taskmgr.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Internet Explorer\Toolbar N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = ffffffff N/A N/A
Key created \Registry\User\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\NotificationData N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\NodeSlot = "4" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 560031000000000057586803100057696e646f777300400009000400efbec5522d60575868032e000000a6050000000001000000000000000000000000000000d93f9c00570069006e0064006f0077007300000016000000 N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" N/A N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "4" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\NodeSlot = "5" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\810.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A
N/A N/A C:\Windows\System32\Taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A
N/A N/A C:\Windows\system32\mmc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3300 wrote to memory of 2740 N/A N/A C:\Windows\system32\cmd.exe
PID 3300 wrote to memory of 2740 N/A N/A C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2740 wrote to memory of 1740 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3300 wrote to memory of 1700 N/A N/A C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 3300 wrote to memory of 1700 N/A N/A C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 3300 wrote to memory of 1700 N/A N/A C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1700 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 2548 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Windows\SysWOW64\icacls.exe
PID 2548 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Windows\SysWOW64\icacls.exe
PID 2548 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Windows\SysWOW64\icacls.exe
PID 2548 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 2548 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 2548 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 1776 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\Temp\A876.exe
PID 2376 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 2376 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 2376 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3944 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe
PID 3300 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF2B.exe
PID 3300 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF2B.exe
PID 3300 wrote to memory of 2008 N/A N/A C:\Users\Admin\AppData\Local\Temp\BF2B.exe
PID 2376 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 2376 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 2376 wrote to memory of 4640 N/A C:\Users\Admin\AppData\Local\Temp\A876.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 4640 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe
PID 3916 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Windows\SysWOW64\schtasks.exe
PID 3916 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9172.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\A876.exe

C:\Users\Admin\AppData\Local\Temp\A876.exe

C:\Users\Admin\AppData\Local\Temp\A876.exe

C:\Users\Admin\AppData\Local\Temp\A876.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\edb669ba-ea5c-4aa4-94ed-7c13816fff31" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\A876.exe

"C:\Users\Admin\AppData\Local\Temp\A876.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\A876.exe

"C:\Users\Admin\AppData\Local\Temp\A876.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe

"C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe"

C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe

"C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe"

C:\Users\Admin\AppData\Local\Temp\BF2B.exe

C:\Users\Admin\AppData\Local\Temp\BF2B.exe

C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe

"C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 3992 -ip 3992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 2152

C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe

"C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\E16A.exe

C:\Users\Admin\AppData\Local\Temp\E16A.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EB3F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\DB.exe

C:\Users\Admin\AppData\Local\Temp\DB.exe

C:\Users\Admin\AppData\Local\Temp\810.exe

C:\Users\Admin\AppData\Local\Temp\810.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 2404

C:\Users\Admin\AppData\Local\Temp\810.exe

"C:\Users\Admin\AppData\Local\Temp\810.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5314.exe

C:\Users\Admin\AppData\Local\Temp\5314.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee0999758,0x7ffee0999768,0x7ffee0999778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1568 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3176 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5068 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:8

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5060 --field-trial-handle=1824,i,10185665786591706051,14843039761372875905,131072 /prefetch:1

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1548 -ip 1548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1548 -s 444

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\Taskmgr.exe

"C:\Windows\System32\Taskmgr.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\system32\mmc.exe

"C:\Windows\system32\mmc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 241.127.12.185.in-addr.arpa udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
KR 211.181.24.132:80 brusuax.com tcp
GB 104.86.110.114:443 tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 92.123.128.161:443 r.bing.com tcp
US 52.182.143.213:443 browser.pipe.aria.microsoft.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
KR 211.181.24.132:80 brusuax.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
KR 175.120.254.9:80 habrafa.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
DE 144.76.136.153:443 transfer.sh tcp
KR 175.120.254.9:80 habrafa.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 104.21.16.186:443 healthproline.pro tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 theoryapparatusjuko.fun udp
DE 159.69.103.8:9001 159.69.103.8 tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
DE 159.69.103.8:9001 159.69.103.8 tcp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
KR 175.120.254.9:80 habrafa.com tcp
DE 159.69.103.8:9001 159.69.103.8 tcp
DE 159.69.103.8:9001 159.69.103.8 tcp
KR 175.120.254.9:80 habrafa.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 172.67.180.132:443 technologyenterdo.shop tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 172.67.147.18:443 associationokeo.shop tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 5.188.88.181:80 notmalware.top tcp
KR 175.120.254.9:80 habrafa.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 104.21.51.193:443 trypokemon.com tcp
US 104.21.11.77:443 loftproper.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
TR 213.238.183.73:443 pimpirik.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
DE 185.149.146.82:80 tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
GB 142.250.200.14:443 clients2.google.com udp
N/A 224.0.0.251:5353 udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.96:443 server4.realupdate.ru tcp
US 172.67.212.188:443 walkinglate.com tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
GB 104.86.110.114:443 tcp
GB 92.123.128.161:443 r.bing.com tcp
GB 104.86.110.114:443 tcp
GB 104.86.110.114:443 tcp
BG 185.82.216.96:443 server4.realupdate.ru tcp
N/A 127.0.0.1:31465 tcp

Files

memory/3916-1-0x0000000000640000-0x0000000000740000-memory.dmp

memory/3916-2-0x0000000000630000-0x000000000063B000-memory.dmp

memory/3916-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3300-4-0x0000000005290000-0x00000000052A6000-memory.dmp

memory/3916-5-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9172.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\A876.exe

MD5 50089d99910b582b7b4f71d7b58935f6
SHA1 62cc51de0072c86e29d9a7f089cea93fc1b025f8
SHA256 5c70bc40d13eb71f83e1f37a09851e624e081df0a837e7d66a3c76111ec893d7
SHA512 096773ee3e9e067d4b243ea9b1d8a145401a41b2ac608869539c459b7b1f487e15858b3a15996f22013800218a32ed565a238cee0fe25e74db18cab9a835e887

memory/1700-21-0x00000000025C0000-0x0000000002656000-memory.dmp

memory/1700-22-0x0000000002700000-0x000000000281B000-memory.dmp

memory/2548-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2548-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1776-44-0x0000000002690000-0x000000000272E000-memory.dmp

memory/2376-47-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2376-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2376-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b75792b3a5c6302d72594ee6a5c75468
SHA1 84af5f4b1d1e6ea20b23b5ccf59ebc2575e20c6a
SHA256 a82d0a3c5e228a0c4ec7d7139c2109dd7aae07ef5f6bb1800551c84019010b9c
SHA512 45535ea57d9e91041eba1ce1f2eea62215ed89b6bc6843e3566e62d98d2ad020a1bf57f3e831ac3abf422e1b76ac53836189828e05b2f24df5a77e38b9dc99df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c1a837e7fe0cd4bf1d70c7b4d8844d55
SHA1 b9b2d408095400ff0be067d8c6eed6ba0312ef3c
SHA256 0e3dcc979a1e43003bdc7253cb4094c0385d2099c14dc12a4e85fded6f76dc97
SHA512 720c2aded6054feee530553c84ce238ef4952ce2b622917c840ffa2a937f77cfe2ba55a6212af0a650f7f8286d30088ec385de584e3fe1f4b2ca7901136d16a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 6eaa95b86ed3bd15ad61992ed7a34aad
SHA1 745a405bfb11012b160a3c7b77302427ed06eff6
SHA256 567b3dc1d429c602a332e8efb8fa616a051ef52b3d7980ea00b23afb21a75f54
SHA512 09ff3c7f584fe517cc65a94116420f909e40be189c18a6a7d0f79e59ea10baeef28a61cede9e47d131755470a9db0c610cb486d3061e249479868f1fc9148b2d

memory/2376-56-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2376-57-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build2.exe

MD5 c6d3d647baad8a5b93b81d2487f4f072
SHA1 e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA256 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA512 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

memory/3944-69-0x0000000000600000-0x0000000000700000-memory.dmp

memory/3992-71-0x0000000000400000-0x0000000000649000-memory.dmp

memory/3944-70-0x00000000021B0000-0x00000000021E6000-memory.dmp

memory/3992-74-0x0000000000400000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BF2B.exe

MD5 768351e7fb4e73a68d6128a4ab7ccc4e
SHA1 b2e42ae8d8f154800c6ade37ad6ce4e903da79de
SHA256 e1af5fed9e816a4f21c4f25e8d1388d8e8deac07c9cacd2889b749f2ec28a396
SHA512 76f96b1e6d962937822c05814c77ac8903ac612db07d8daa7ddb2fb7443e6151afc880daf5a8a3e42b4f3e8dc081f391cab3e8098fb4af8ac31ef81a66d20941

memory/2008-79-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/3992-80-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2008-81-0x00000000771A6000-0x00000000771A8000-memory.dmp

memory/2008-82-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/2008-83-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/2008-84-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/2008-86-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/2008-85-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/2008-87-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/2008-88-0x0000000077130000-0x00000000772D9000-memory.dmp

memory/2008-89-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/2008-90-0x0000000000530000-0x0000000000B42000-memory.dmp

memory/2008-91-0x0000000077130000-0x00000000772D9000-memory.dmp

C:\Users\Admin\AppData\Local\cbe7fa11-e456-4382-a089-989b1b454d30\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2376-103-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3992-106-0x0000000000400000-0x0000000000649000-memory.dmp

memory/3916-110-0x0000000000400000-0x0000000000406000-memory.dmp

memory/4640-114-0x00000000009C0000-0x00000000009C4000-memory.dmp

memory/4640-113-0x0000000000B80000-0x0000000000C80000-memory.dmp

memory/3916-115-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3916-117-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3916-118-0x0000000000410000-0x0000000000413000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E16A.exe

MD5 479342d62078aaf31881972c7574f6f2
SHA1 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256 a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA512 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

memory/1812-123-0x0000000000B90000-0x0000000001667000-memory.dmp

memory/1812-128-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/1812-129-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/1812-131-0x0000000000B90000-0x0000000001667000-memory.dmp

memory/1812-130-0x0000000002D10000-0x0000000002D11000-memory.dmp

memory/1812-132-0x0000000002D20000-0x0000000002D21000-memory.dmp

memory/1812-133-0x0000000002D30000-0x0000000002D31000-memory.dmp

memory/1812-134-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/1812-135-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/1812-136-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/1812-137-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/1812-138-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/1812-139-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/1812-140-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

memory/1812-141-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

memory/1812-142-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/1812-143-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/1812-144-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/1812-147-0x0000000002F20000-0x0000000002F21000-memory.dmp

memory/1812-146-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/1812-145-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/1812-148-0x0000000000B90000-0x0000000001667000-memory.dmp

memory/1812-150-0x0000000000B90000-0x0000000001667000-memory.dmp

memory/1812-152-0x0000000002F30000-0x0000000002F70000-memory.dmp

memory/1812-151-0x0000000002F30000-0x0000000002F70000-memory.dmp

memory/1812-153-0x0000000002F30000-0x0000000002F70000-memory.dmp

memory/1812-155-0x0000000002F30000-0x0000000002F70000-memory.dmp

memory/1812-154-0x0000000002F30000-0x0000000002F70000-memory.dmp

memory/1812-160-0x0000000000B90000-0x0000000001667000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB.exe

MD5 5d5c4c47ccae89a73b6f1f42542c834c
SHA1 5b59fee042ea4897f88a573dbe38ae4cb71e3f7e
SHA256 03cdea5b068f994f8c15ded8e91c32a2638a7f646e68e3988a80e6a377ef6dec
SHA512 dc9ab01fb72f331ff0e7e384db5a43ad41215914c5363d8ab90de7a78ad5d3ef02511585a25189699c1b31d300ff42edd98988660b65da91058dc3fa6f5a786b

C:\Users\Admin\AppData\Local\Temp\810.exe

MD5 ede22b4f418d4f709751af82df78dd26
SHA1 eb456429d597f433d08ca7e0b308bad06e5146c2
SHA256 7e6d1d4791c9f75281a2ae8fd3ee8a4d0d6521bdd0dd7751b378718e8567f142
SHA512 cd33f35bc08061d8c5222973ab7d3f38b87623ec99a927c97d76b4d04e431194803bdac770a91a593cc448f6d2e07018359929dfd505bf5ddc1b4b3952c3c571

memory/2192-171-0x0000000002B40000-0x0000000002F45000-memory.dmp

memory/2192-172-0x0000000002F50000-0x000000000383B000-memory.dmp

memory/2192-173-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1904-174-0x0000000005110000-0x0000000005146000-memory.dmp

memory/1904-175-0x0000000072430000-0x0000000072BE1000-memory.dmp

memory/1904-176-0x0000000005230000-0x0000000005240000-memory.dmp

memory/1904-177-0x0000000005230000-0x0000000005240000-memory.dmp

memory/1904-178-0x0000000005870000-0x0000000005E9A000-memory.dmp

memory/1904-179-0x0000000005820000-0x0000000005842000-memory.dmp

memory/1904-180-0x0000000006010000-0x0000000006076000-memory.dmp

memory/1904-181-0x0000000006080000-0x00000000060E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jylcrckd.hku.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1904-190-0x00000000060F0000-0x0000000006447000-memory.dmp

memory/1904-191-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/1904-192-0x0000000006670000-0x00000000066BC000-memory.dmp

memory/2376-193-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2376-195-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2376-196-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1904-197-0x0000000006B20000-0x0000000006B66000-memory.dmp

memory/1904-198-0x00000000079D0000-0x0000000007A04000-memory.dmp

memory/1904-199-0x000000007FB90000-0x000000007FBA0000-memory.dmp

memory/1904-201-0x000000006F050000-0x000000006F3A7000-memory.dmp

memory/1904-200-0x000000006EEF0000-0x000000006EF3C000-memory.dmp

memory/1904-210-0x0000000007A30000-0x0000000007A4E000-memory.dmp

memory/1904-211-0x0000000007A50000-0x0000000007AF4000-memory.dmp

memory/1904-212-0x00000000081B0000-0x000000000882A000-memory.dmp

memory/1904-213-0x0000000007B70000-0x0000000007B8A000-memory.dmp

memory/1904-214-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

memory/1904-215-0x0000000072430000-0x0000000072BE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\810.exe

MD5 51def4926e372019607ea10360fa2d1e
SHA1 3c2da59b38cc903bbc1b8836f0e4b213901bc23e
SHA256 2a8440d60d3c01f95b109b24d4391b130e60c1d62e1c80cd79c0b33e76349ad1
SHA512 1ec732861b8ef882174cc0cdf1bd509b2625b3621986a22a3a4654bf40792396a03ad603c6bc9a6ab28ba53b5ab4d51557f9ff0e50a5fcb594daca6205e68362

memory/2192-217-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2192-218-0x0000000002F50000-0x000000000383B000-memory.dmp

memory/2520-220-0x0000000002A80000-0x0000000002E86000-memory.dmp

memory/2520-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4212-222-0x0000000072430000-0x0000000072BE1000-memory.dmp

memory/4212-225-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/4212-230-0x0000000006200000-0x0000000006557000-memory.dmp

memory/4212-229-0x00000000054B0000-0x00000000054C0000-memory.dmp

memory/4212-234-0x0000000006C30000-0x0000000006C7C000-memory.dmp

memory/4212-236-0x000000006EF50000-0x000000006EF9C000-memory.dmp

memory/4212-235-0x000000007F1D0000-0x000000007F1E0000-memory.dmp

memory/4212-237-0x000000006F140000-0x000000006F497000-memory.dmp

memory/4212-246-0x00000000078E0000-0x0000000007984000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 ac4917a885cf6050b1a483e4bc4d2ea5
SHA1 b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256 e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d

memory/2376-258-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9556408ed74344a332317c7ba1385cdb
SHA1 627f50601815ccd89e7a202e18dcb96db4b9b644
SHA256 261c439cc690427734bd5ad97bfe93632eb70c5a83911bb9edafff4ee47fe597
SHA512 44ad6a5e748e469c59090eae295bd54652fd1d75e1ab2d6a0a7eb6cb079ee7d960dde3c1d36eceebf191bb496123c843d777cf61941203d1511575b8a1704d5c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2fea1e323bf5b221eb9136e6eca024ba
SHA1 aa270086c0274e1703fc595bde3acfd257f0bd34
SHA256 0e008737c2673f3e693d0519665849ec6267efda0d9cea13d590c4a21e880a12
SHA512 162f795450214647005cf92c41329cf0d973ea5c669752cc69f0fbf00307e4814d9ff2ff5ed18bff7e04af688b4f65871d1cfc6f64f227b52e8c53f4818cd8a7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8570cff1c327283ff2faf7ad17ad0aac
SHA1 4c9e0aba97c4b8835e02fa8029b1af28ce740f1b
SHA256 f1ef672a91904f05759f12dddb861d4da909b67321b687509999d06a484d3400
SHA512 68668037b66d6c9b34e181626053e703108ef4c0c2aa9e44fb66f16fb62bbffb22121a5e077afdcb3cec5b1a77c6ce0c470b74da3c56e130c0f57c0d1493cc4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 44591be64cb5c6b634232eac089f1576
SHA1 2b7a9d605edbfcfe758b814ab78f0967e94a6166
SHA256 08d77ab354e683ef0303871415038d700e54449977681b86717c9bd639ac39fe
SHA512 70e2b75bc1e8340a4aa9e0c0affc5efd8e6141873d769b33cb13c042b0e6e53e5a829704f9f19a17f9343c688f3e68e11c5145cd0e9fb762b17a9e489f5072df

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 0e7d6c11877ab4cd61082f246aa40094
SHA1 ce0778834733041d3a96540b565cb95d4509c826
SHA256 c87d8d066f50c7a67f1abd7ad6e3e8d26b65e651d3865b925722b4ca21fbea6b
SHA512 04283061e0af6aaa54eb4b67c81e48d833d671fee98ece4c1a25bbedd639ac419793582e1eb6c866528c7e23d17a1746cb860722324e467b8b90793dd9db5ea9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1274d25c93b696f21472eef062497046
SHA1 bf427dc3454fd5dc3ad253ae39faecd6de28ca98
SHA256 9aab67894f57f1f1470183a77cf4d57ca8b0bd0239b20cbf6ab3eaa61282caf7
SHA512 ec42941957b17874010351a38b7f6e7e502e53355ae80908897ed5dea994e67ce5a3789d254b4fcb5337a17fd3bf271d1fdc6e32a6b9a514a200bf39d84c1034

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f4abd1129d302ffa2bab4f2a6e5d0889
SHA1 56dce1d4c5f9eda22ae1987496ce7de912d9a8a4
SHA256 93a8a97294d01ac2063138151af958cbaec88878690a1c0b9c44b64621514ba7
SHA512 622572dd0b33468aeaa29256f9c4620ce007b6f31748076ad8813098d8435e1c16d4cfc73b48f4667fdc1f33f4353168c3eb0d2ecb6e4eaa05e622b5050dc229

C:\Users\Admin\AppData\Local\Temp\5314.exe

MD5 eda36c51a126d6f6989443acfe507e2c
SHA1 b87c4c8dec5f3259ec3cb629876ce48da221b1a1
SHA256 91d1a1d9d3610c197e3fdbde79040cebf01eddfef34f8e7b77a4b81cbcecd461
SHA512 79f7e89c7f6d8b3d6225ac2fb9931c42bd4a7e81dd88f8a6017369007c848ab87843a84f9973653fefa31960a354102684279573587061cb7bfb1f9775fc5dc0

\??\pipe\crashpad_2216_TAVBNIELESGAPIXX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 19cb64e03cab13bf5506d8f1ccab4c7f
SHA1 6ed493b19131034a44b5a54742e2b78c33ffa82b
SHA256 2a5d5fb11ea7418510e9b6b06c343491df94af42169ce31e383f58927ed10735
SHA512 d79149007c657e2694b67c5994ff5c6c8eedfce4820432a357e7a5fb9144bfeaef8034d8063ca732afa9a5f8dd5e723fa14fabaf220ac47e8897f05375bcd48f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 0688f4686c2ed5c415a8b86578320369
SHA1 49092a4cb6817198b8cdc8b33c95b368f551a8c9
SHA256 3959aae474b3b4b473be429926a614cbf02c7691365d985d2870b511d97fac37
SHA512 8915f4aaa2728b29803ae04688436f1cdf8b4a6af91ba8a6bd4a4be22061e50bc38a7a6d23ca4ff4f245580d9d6716918e1df75553c0fbb39000cbd5d6ac541c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 f1119eb49b33e652a308c4b57c489ee7
SHA1 2a57c7c8e542f83abc667678f68ec28837ae56a8
SHA256 6fbd82c709fe5ae0e21d9b7f15dba74120c0aab21b0e6a4e93864d3f92d0705c
SHA512 43a878de8ef967aabb540adf82d3251597839e03f31a0130bb8576e80b5a8bc73e4bcb69c2b6adcd9c4fe322a9c2a2f495adcbe97d1d5662780c8f4d4f2b741b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 f42c50b075f6a2af322b418970be62b8
SHA1 6bb8d36610f0df7dc1f81537531cfcddbaa3919d
SHA256 1d43bc2671ca326d31fc11328556c247e78187c906109fc3e145293ba555a7ff
SHA512 551cb00163f141b5265fa50993488be84ed7935af15409735ed358d588f82a997a4521d1521ef0ed321d240839b4fc326606d420d8d09fa1b613078d58d04093

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ad823f7381d01042a41f82280fd65070
SHA1 4fc07a7029391e30cdb68b42d00019a106c182af
SHA256 2addcbd59738dfed136b2c5154bef7afcba06403209d343514759adbabd7fe97
SHA512 b417d3b41a240f593d622f70a307845e6293d75ca793f1ed97e7d90e9228831b6e2324648396d2e08977342cbec54e9027abdeaed1684eed2d3f3a7a2d57e141

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b64872ff1ba649140b283dc160c44872
SHA1 e93e07c7b1edfa0d41e5a705b2046b2d441a182b
SHA256 cb5aa3a31d471e84f2c735f39611a2f675df0d160abb77871cb85d56bbeedb2b
SHA512 5930dbbb3593d8b766b349681c32f90ecd9f6f38a891c165d3f54d8cc08eed05939d14d831abf00dbf3b3c31f0f83d6561297c1ffade7bbb8c7c82488ebe910a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1cce8ad93f59a666f8d99b3c5bd2b3b5
SHA1 d6f0edc5843cba307b60495dbeee9cb90be59427
SHA256 1619a04f7af3dde500751199df599a5b780615d477067b97ffbbb6647afec15f
SHA512 037cf3cd0ae9fa8fe12535e275a03ac4f9824c68eacab932c84449a0866f136e66e374ab39ea37b4c737340890d4bac015f46b7b71e7cd4b8ad76b112a99cd23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ddcb1bd3840e86d4c5742b8f9de98fce
SHA1 f1dd106c5be8f2af64ef17a2ad4713d75f30093a
SHA256 cbf83c152733412fc732b3a8f5dffbbfc1b81795b96dd884d74a5ef2c4874380
SHA512 95bee71df5da6d74181e2bf6bcfdab5d7723246976a186d6bf0941ba34965e89dbb3de1ac962da455e00f4296ebf2abb14799a62add13ce8c915ce4918748369

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 4ac937c900ccdf562faa5a124dc6a126
SHA1 0ecada53d97c9ad092087dc659014b223598a712
SHA256 fbbafc7e31a22f773beed60862c089223c09fb49dd6deef94c46692e94cd7723
SHA512 e0708e5702aca2bb63742d45ac0fa56fd56e590b1b51a05bc93cae048055365c15e2120cfd1c2a82efdc1e527be04fe4d32dec28a2e778d7958f4adb4d62adc6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 6a261569e6cd5cd1e2e427ba894c40f7
SHA1 6d9a1482896207be7c0f6d22121601fed9c9eac2
SHA256 3351a8cbcc7abf5ea61501bc71defb3a95a9294b2345b33987c093a80f618bbb
SHA512 893782bac736294e9135891ef9c0f6450a386af6c575f7158ce85a35daece4ac4a235039f4c2c143c9b276b4b8f121007629f69b311192c42d08468c681d7841

C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

MD5 09031a062610d77d685c9934318b4170
SHA1 880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256 778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA512 9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27