Malware Analysis Report

2024-11-30 04:44

Sample ID 240223-fhlaeabg97
Target 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Tags
dcrat djvu glupteba lumma smokeloader zgrat tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer themida trojan upx vidar 7f6c51bbce50f99b5a632c204a5ec558 rootkit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Threat Level: Known bad

The file 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba lumma smokeloader zgrat tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer themida trojan upx vidar 7f6c51bbce50f99b5a632c204a5ec558 rootkit

Djvu Ransomware

Vidar

Windows security bypass

Detected Djvu ransomware

Glupteba payload

Glupteba

Detect Vidar Stealer

Detect ZGRat V1

Lumma Stealer

DcRat

SmokeLoader

ZGRat

UPX dump on OEP (original entry point)

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables packed with Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects executables containing artifacts associated with disabling Widnows Defender

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Modifies boot configuration data using bcdedit

Detects Windows executables referencing non-Windows User-Agents

Detects executables Discord URL observed in first stage droppers

Detects executables containing URLs to raw contents of a Github gist

Downloads MZ/PE file

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Windows security modification

Modifies file permissions

Themida packer

Loads dropped DLL

Checks BIOS information in registry

Deletes itself

Checks computer location settings

Executes dropped EXE

UPX packed file

Manipulates WinMonFS driver.

Checks whether UAC is enabled

Manipulates WinMon driver.

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 04:52

Reported

2024-02-23 04:55

Platform

win10v2004-20240221-en

Max time kernel

55s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e19f04c4-8074-4828-b230-339c6deeea58\\5F81.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5F81.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\722F.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\722F.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\722F.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5F81.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\e19f04c4-8074-4828-b230-339c6deeea58\\5F81.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5F81.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\722F.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\722F.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2680 set thread context of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 set thread context of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 2628 N/A N/A C:\Windows\system32\cmd.exe
PID 3512 wrote to memory of 2628 N/A N/A C:\Windows\system32\cmd.exe
PID 2628 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2628 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3512 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 3512 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 3512 wrote to memory of 2680 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2680 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2328 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Windows\SysWOW64\icacls.exe
PID 2328 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Windows\SysWOW64\icacls.exe
PID 2328 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Windows\SysWOW64\icacls.exe
PID 3512 wrote to memory of 1928 N/A N/A C:\Users\Admin\AppData\Local\Temp\722F.exe
PID 3512 wrote to memory of 1928 N/A N/A C:\Users\Admin\AppData\Local\Temp\722F.exe
PID 3512 wrote to memory of 1928 N/A N/A C:\Users\Admin\AppData\Local\Temp\722F.exe
PID 2328 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2328 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 2328 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 320 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\5F81.exe C:\Users\Admin\AppData\Local\Temp\5F81.exe
PID 3512 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC6B.exe
PID 3512 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC6B.exe
PID 3512 wrote to memory of 776 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC6B.exe
PID 3512 wrote to memory of 2028 N/A N/A C:\Windows\system32\cmd.exe
PID 3512 wrote to memory of 2028 N/A N/A C:\Windows\system32\cmd.exe
PID 2028 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2028 wrote to memory of 3536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3512 wrote to memory of 3760 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD36.exe
PID 3512 wrote to memory of 3760 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD36.exe
PID 3512 wrote to memory of 3760 N/A N/A C:\Users\Admin\AppData\Local\Temp\BD36.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe

"C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4949.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5F81.exe

C:\Users\Admin\AppData\Local\Temp\5F81.exe

C:\Users\Admin\AppData\Local\Temp\5F81.exe

C:\Users\Admin\AppData\Local\Temp\5F81.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e19f04c4-8074-4828-b230-339c6deeea58" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\722F.exe

C:\Users\Admin\AppData\Local\Temp\722F.exe

C:\Users\Admin\AppData\Local\Temp\5F81.exe

"C:\Users\Admin\AppData\Local\Temp\5F81.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5F81.exe

"C:\Users\Admin\AppData\Local\Temp\5F81.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1480 -ip 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1480 -s 568

C:\Users\Admin\AppData\Local\Temp\AC6B.exe

C:\Users\Admin\AppData\Local\Temp\AC6B.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B0C1.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\BD36.exe

C:\Users\Admin\AppData\Local\Temp\BD36.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\D2F1.exe

C:\Users\Admin\AppData\Local\Temp\D2F1.exe

C:\Users\Admin\AppData\Local\Temp\BD36.exe

"C:\Users\Admin\AppData\Local\Temp\BD36.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4092 -ip 4092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4092 -s 444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 241.127.12.185.in-addr.arpa udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
UZ 195.158.3.162:80 brusuax.com tcp
US 8.8.8.8:53 162.3.158.195.in-addr.arpa udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 healthproline.pro udp
US 104.21.16.186:443 healthproline.pro tcp
US 8.8.8.8:53 186.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 theoryapparatusjuko.fun udp
US 8.8.8.8:53 snuggleapplicationswo.fun udp
US 8.8.8.8:53 smallrabbitcrossing.site udp
US 8.8.8.8:53 punchtelephoneverdi.store udp
US 8.8.8.8:53 telephoneverdictyow.site udp
US 8.8.8.8:53 strainriskpropos.store udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.51.193:443 trypokemon.com tcp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 193.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 172.67.195.126:443 tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 pimpirik.com udp
TR 213.238.183.73:443 pimpirik.com tcp
US 8.8.8.8:53 73.183.238.213.in-addr.arpa udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
DE 185.149.146.82:80 tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 612cadee-fa72-4b57-83d7-20a57de60877.uuid.realupdate.ru udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 server16.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun1.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 74.125.128.127:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
BG 185.82.216.96:443 server16.realupdate.ru tcp
BG 185.82.216.96:443 server16.realupdate.ru tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/3612-1-0x0000000000460000-0x0000000000560000-memory.dmp

memory/3612-2-0x0000000002190000-0x000000000219B000-memory.dmp

memory/3612-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3512-4-0x00000000025F0000-0x0000000002606000-memory.dmp

memory/3612-5-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3612-8-0x0000000002190000-0x000000000219B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4949.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\5F81.exe

MD5 685962facc72ed816ebc86f021449044
SHA1 06459254112ad371328b0fc66210818ad5c048c8
SHA256 818e83a6f88f34e7dc343f267a30b651d578a9e9786c95bc2a76ab33d58f74b8
SHA512 d261caefbe9f4029733b2ff62e2dee9f993c4f6fbc794ac6fb4d9e6cec54814ff4ecd758809f79457c8665b61a1e72626e2acfe7b8312484890b274aaf48d004

memory/2680-21-0x00000000024D0000-0x0000000002566000-memory.dmp

memory/2680-22-0x00000000041B0000-0x00000000042CB000-memory.dmp

memory/2328-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2328-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2328-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2328-27-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\722F.exe

MD5 2a8b57ff7723f9af7945c3d65ede4d00
SHA1 67e9bae7532e8e6bd61ca054b46980fece4b927f
SHA256 786ba520e5682e9611095dadb7af1a8f6e2637a05b74722eef00016721c96ab3
SHA512 1984e19f45f79210a5de6d1608ba6b8903da358c14d9ed2a16bff662270ee5bb2bece2c52a11b88f739de7dfa989be20d2060d92cd3bb74ec2a73cc8a17d91a1

C:\Users\Admin\AppData\Local\Temp\722F.exe

MD5 4ed816c15ab6c50af9580e2bb1602a41
SHA1 c460b96f9e884291e556e7152b6c0574a92cbd34
SHA256 af2d6d34ca1aa8f260f2e7b9122a29f1df5f2df705c7e39bb3620a25deaa7de7
SHA512 e6002f9ce50079becc7b4f918077dd08486486dab937af0ddd6f280d34a49e09087d15273f4b3c20b092fbb8d4710d2df1f3ea32b53dfb35d459d9b176db2f0b

memory/1928-40-0x00000000003E0000-0x00000000009F2000-memory.dmp

memory/1928-41-0x0000000077274000-0x0000000077276000-memory.dmp

memory/2328-43-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1928-45-0x00000000003E0000-0x00000000009F2000-memory.dmp

memory/1928-46-0x00000000003E0000-0x00000000009F2000-memory.dmp

memory/1928-47-0x00000000003E0000-0x00000000009F2000-memory.dmp

memory/320-49-0x0000000003F50000-0x0000000003FE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F81.exe

MD5 9e696d5c2cac05fc9598b5d20f12946a
SHA1 0f36d84930da5d09e444d36c2654070ec29c93e8
SHA256 7d291234921d625c00978e4d3599ae8f1803ca73ffbd213dce28b2aaf7e420fb
SHA512 14cb572db7aa19833543f522b7676fdf87e40103fc58a2b35a6fb288e384849c944bf7232b10786c67cc1388cc42f4369a1fbb5bddd29c6d9b7be45cde98ac71

memory/1928-51-0x00000000003E0000-0x00000000009F2000-memory.dmp

memory/1480-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1480-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1480-57-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1928-54-0x00000000003E0000-0x00000000009F2000-memory.dmp

memory/1928-58-0x00000000003E0000-0x00000000009F2000-memory.dmp

memory/1928-60-0x0000000004120000-0x000000000423B000-memory.dmp

memory/1928-59-0x0000000004120000-0x000000000423B000-memory.dmp

memory/1928-61-0x0000000001270000-0x0000000001271000-memory.dmp

memory/1928-62-0x00000000003E0000-0x00000000009F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC6B.exe

MD5 fc4c75945e494627f9e5528298ea0c41
SHA1 cd2710c29c054d886d7a8b90cd648738b3a5aa4e
SHA256 96e63df07b83c1978c424c00fcec3adbe0077dfedfe613874700b69e151fc9c2
SHA512 252d14d44424df9a7d89ccda22be5c57b15fb843dbb8a9c8e0e5c7e1756ce98cdfb8d96226bef27858f2a3f323c7e9b012c0af3e9a1af3d4962a1c064e83da0c

memory/776-71-0x0000000000680000-0x0000000001157000-memory.dmp

memory/776-78-0x0000000000680000-0x0000000001157000-memory.dmp

memory/776-77-0x00000000017D0000-0x00000000017D1000-memory.dmp

memory/776-80-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/776-85-0x00000000032E0000-0x00000000032E1000-memory.dmp

memory/776-87-0x0000000003300000-0x0000000003301000-memory.dmp

memory/776-86-0x00000000032F0000-0x00000000032F1000-memory.dmp

memory/776-90-0x0000000003330000-0x0000000003331000-memory.dmp

memory/776-89-0x0000000003320000-0x0000000003321000-memory.dmp

memory/776-94-0x0000000003380000-0x0000000003381000-memory.dmp

memory/776-95-0x0000000003390000-0x0000000003391000-memory.dmp

memory/776-96-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/776-97-0x0000000000680000-0x0000000001157000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC6B.exe

MD5 021a2b6cf85105bae6d86abac87a8c91
SHA1 5b6fb2f61ac37873633d4d516a5228ff8869356d
SHA256 8cf914a429df91ac9b1a165599dc457ba5fdacc94c207559c6fa41fc2121c9e7
SHA512 0d8c7dc5b35a02bdbdb2668b58e261463802ed105f62394d8d99b20a597a38262a8d8a8c5474de5b71eba9a5a59aa883537b11a7d6448149e666ce43dfe44b83

memory/776-93-0x0000000003360000-0x0000000003361000-memory.dmp

memory/776-92-0x0000000003350000-0x0000000003351000-memory.dmp

memory/776-91-0x0000000003340000-0x0000000003341000-memory.dmp

memory/776-99-0x0000000000680000-0x0000000001157000-memory.dmp

memory/776-100-0x00000000033B0000-0x00000000033E2000-memory.dmp

memory/776-101-0x00000000033B0000-0x00000000033E2000-memory.dmp

memory/776-88-0x0000000003310000-0x0000000003311000-memory.dmp

memory/776-84-0x0000000001830000-0x0000000001831000-memory.dmp

memory/776-83-0x0000000001820000-0x0000000001821000-memory.dmp

memory/776-82-0x0000000001810000-0x0000000001811000-memory.dmp

memory/776-81-0x0000000001800000-0x0000000001801000-memory.dmp

memory/776-79-0x00000000017E0000-0x00000000017E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD36.exe

MD5 11ad73d63e7227ae416fa41ed40aa6ec
SHA1 e4fc49bd4ef404498fba4d084de75b2ca9017849
SHA256 d4f331cd81caea97f57f9d7c30d42814c587ba09423337c5e6253e8f9cd94c55
SHA512 d8cf006e6d394bfbf99b69f737e1f548a2734d29cd139c7c5c0faca27ba0ece625e27b38ba8e8934cbab6bde463d1023525ca19d5605a4499b9e7a2e8c680a18

C:\Users\Admin\AppData\Local\Temp\BD36.exe

MD5 6c19d1f202f048fd5bbf9e40ccb4e731
SHA1 1ca3c76d211a374ac55104b637db07381b050f56
SHA256 e2dadf329c79a78170941505127221d6fdf5ecb4f3c1c068c140b647a0e58453
SHA512 3480bdf3ff60ab29e89f55a56d1f4e782c83a0412be752c90dadaec08181eb776ca43d38c6df3ba09605f5d107bf378fd42c4da948d5636a1d70df39fed04fc5

memory/776-106-0x0000000000680000-0x0000000001157000-memory.dmp

memory/3760-108-0x0000000004430000-0x0000000004832000-memory.dmp

memory/3760-109-0x0000000004840000-0x000000000512B000-memory.dmp

memory/3760-110-0x0000000000400000-0x00000000026B5000-memory.dmp

memory/4540-111-0x0000000074370000-0x0000000074B20000-memory.dmp

memory/4540-113-0x0000000005290000-0x00000000052C6000-memory.dmp

memory/4540-112-0x0000000003240000-0x0000000003250000-memory.dmp

memory/4540-114-0x0000000005900000-0x0000000005F28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2F1.exe

MD5 03f46b0af9bc8e856b2ac3f84d66b14b
SHA1 f60a5771ecdecde0f8fa3cef74c3a6bf268b776f
SHA256 192d4839f1d038a17881073a15a87f983c42b8e504e5140f2b2e2ec47648b974
SHA512 cb5d2f625299be005307d0ffbb2ee6eb4966ca008acb2d078aa64a9782b0460f12b1cfea04bfebe54fbc5a4951c6db9f9732502a480d107b2fcb72e0fdcf6828

C:\Users\Admin\AppData\Local\Temp\D2F1.exe

MD5 de61c01a0b08b4acf7f418f7ecf691d5
SHA1 6cbc7f9e4687a589a87109c4c53c6c7f7987b555
SHA256 03a4270b4431b7a7fa808bd8633029ef6556065523aafc7b13063c4a8b5758b2
SHA512 f72a47b2f2020bbbc8b27c3e373256bc3e92568119c363438dbec5b348b9a9d1668cc688bd6a8ce0b1efbb92dada6e676c31b1079c03cab295385c58936e3292

memory/4540-116-0x0000000005840000-0x0000000005862000-memory.dmp

memory/4540-120-0x0000000006150000-0x00000000061B6000-memory.dmp

memory/4540-121-0x00000000061C0000-0x0000000006226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajgicfn5.tsj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/728-123-0x0000000074370000-0x0000000074B20000-memory.dmp

memory/4540-128-0x0000000006230000-0x0000000006584000-memory.dmp

memory/728-130-0x00000000002E0000-0x0000000000960000-memory.dmp

memory/728-134-0x00000000051F0000-0x000000000528C000-memory.dmp

memory/728-135-0x0000000005410000-0x0000000005420000-memory.dmp

memory/4540-136-0x0000000006830000-0x000000000684E000-memory.dmp

memory/4540-137-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/4540-138-0x0000000007790000-0x00000000077D4000-memory.dmp

memory/3760-139-0x0000000004430000-0x0000000004832000-memory.dmp

memory/4540-140-0x0000000003240000-0x0000000003250000-memory.dmp

memory/4540-141-0x0000000007B50000-0x0000000007BC6000-memory.dmp

memory/4540-142-0x0000000008250000-0x00000000088CA000-memory.dmp

memory/4540-143-0x0000000007BF0000-0x0000000007C0A000-memory.dmp

memory/3760-144-0x0000000000400000-0x00000000026B5000-memory.dmp

memory/3760-145-0x0000000004840000-0x000000000512B000-memory.dmp

memory/4540-146-0x000000007F150000-0x000000007F160000-memory.dmp

memory/4540-147-0x0000000007DA0000-0x0000000007DD2000-memory.dmp

memory/4540-148-0x0000000070230000-0x000000007027C000-memory.dmp

memory/4540-149-0x0000000070970000-0x0000000070CC4000-memory.dmp

memory/4540-159-0x0000000007D80000-0x0000000007D9E000-memory.dmp

memory/4540-160-0x0000000007DE0000-0x0000000007E83000-memory.dmp

memory/4540-161-0x0000000007ED0000-0x0000000007EDA000-memory.dmp

memory/4540-162-0x0000000007F90000-0x0000000008026000-memory.dmp

memory/4540-163-0x0000000007EF0000-0x0000000007F01000-memory.dmp

memory/4540-164-0x0000000007F30000-0x0000000007F3E000-memory.dmp

memory/4540-165-0x0000000007F40000-0x0000000007F54000-memory.dmp

memory/4540-166-0x0000000008030000-0x000000000804A000-memory.dmp

memory/4540-167-0x0000000007F70000-0x0000000007F78000-memory.dmp

memory/3760-168-0x0000000000400000-0x00000000026B5000-memory.dmp

memory/4540-171-0x0000000074370000-0x0000000074B20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BD36.exe

MD5 8087bd40225e2762f94848400c089345
SHA1 88543aca50abb65925d574b0ff5f9726cf215799
SHA256 06b753a45dcf8b194fcbb050c02e51c15240e1a43f64256a993cf41f12284655
SHA512 a023b743eb23d1ce420b0a940ff742489a67869dc9ad03141865b1500d0a517b493b4f381e65db9ccdefec8c12dfa76a935a864e45e336f845e07f260c57754a

memory/3760-173-0x0000000000400000-0x00000000026B5000-memory.dmp

memory/4892-175-0x00000000043C0000-0x00000000047BC000-memory.dmp

memory/4892-176-0x0000000000400000-0x00000000026B5000-memory.dmp

memory/728-177-0x0000000074370000-0x0000000074B20000-memory.dmp

memory/8-179-0x0000000004560000-0x0000000004570000-memory.dmp

memory/8-180-0x0000000004560000-0x0000000004570000-memory.dmp

memory/728-181-0x0000000005410000-0x0000000005420000-memory.dmp

memory/8-178-0x0000000074370000-0x0000000074B20000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3482b977d4a441e97aefd93eb2529029
SHA1 7775b52c5b1515f90b38fa21671f42562589b06f
SHA256 dbc8a07ede596b7b012f181ddb44b8630dd4c39c3da9649f73b2d263a980362f
SHA512 6a3597adfaefb81070f2e8ce66bdc4c01b1ba6047e7e67cb9c92ff41c76f92faaf9b8931ab278b3bc058882bce0f8900d663195c1a98e41e7bff9328b576ef3c

memory/4892-241-0x0000000000400000-0x00000000026B5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b9e660c8584b01c7fb1498aecd2ab45
SHA1 958d74e31f1cdbba022437fade9d2f889ef0da3a
SHA256 b2b43de8bdf6e6035a47becaaddb9178be87fc7945d1c555da82b694c14074b3
SHA512 7852a2760cd1bdc7e544293fd64fcec030b49e4c84588367dd74ad85cad7a13e5e33b0c2fe93f7abb5dc59012ba75f9f472f3a004119b6f5b59b66a761b4ec18

C:\Windows\rss\csrss.exe

MD5 b826e65ea12cba211f3f95024b6c0362
SHA1 98f88940e219a51ecd82bab1260589de862ba70b
SHA256 d872db938a92a51863ba12b2eab60132549c64427d2ab67e2ae7cf4d4f6f2cca
SHA512 d7d1f89525414e7ea6b5d953f3a69b22bae0698f0f5f8b3187e124989e39aaf3ade0a84a914c27407613adf2eab576162771d4ef8c358b184d78c81886bc0a06

C:\Windows\rss\csrss.exe

MD5 0612a6bb97216f5764ce118550d89cf3
SHA1 a4f96ad91852e235f97a5acfa074b5d05d628bd5
SHA256 c511c98687c5ba5ff398d8aa663c9021a74c69b63d956c1136b29fe727963261
SHA512 67cbfe43e825bf66fb43d68feaea50d7334782d9482724d2c547e19b592b42a24a87b6e58f0c9897780b146c59a632809398c4933d5a4447091f192b2060aec5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b298a8f50113f6b99e1f7a8fe40a9426
SHA1 d276a162998c37005075e94955dbdc92d552bfed
SHA256 7ad2c7a203293845d50de708f5d91bcd757e2709f6f6e8ca1b2782c533302218
SHA512 d1e6d1ec9c13aec32f4aa7b2a3dd4754514ae9f4aa93d894b0e23a485dcfeb14a1e580a1cf5d7c00a8aabcd875d107e89f5762cbf872b94a4c99b4dcd05201c5

memory/4892-305-0x0000000000400000-0x00000000026B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 82c4219f640000157e5fc4337e44d7cd
SHA1 0ef69e21826deecb2c4560bc9fadf1f96a8c1af3
SHA256 11787f554123a7601d7e09307d9732137c73bf91292f91722d5b0bdcc21dc458
SHA512 1504daae1888fb006126529513a999332777f59d68029cda4e61daaeeaa96ddfe42e7c3bfaf2ecdeb1da587a7dbbc08c51076d928935cad3902a59d05a492b0b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 35f48b37b779b9a24bdf8d4e7aee7d66
SHA1 7eeac539ba3c28cb8404bec279ba043be9f48b37
SHA256 046be9561c2a0ad4a83af802e9978bbbb1421aabcf4cc19f5ed026d913e08c10
SHA512 8e1f24c76e1a8452c3d43b08a789a9b790418d22ddb1db5f790fecd208341d128b02ebfaca26e74fc9f1e12abc1bd49486cbf74370e38c3d8af0e913941f3ee9

memory/4092-333-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4092-337-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4092-343-0x0000000003E20000-0x0000000004220000-memory.dmp

memory/4092-347-0x0000000003E20000-0x0000000004220000-memory.dmp

memory/4092-359-0x00007FF9C93F0000-0x00007FF9C95E5000-memory.dmp

memory/4092-362-0x00000000757B0000-0x00000000759C5000-memory.dmp

memory/1292-363-0x0000000000B10000-0x0000000000B19000-memory.dmp

memory/1292-367-0x0000000002990000-0x0000000002D90000-memory.dmp

memory/1292-368-0x00007FF9C93F0000-0x00007FF9C95E5000-memory.dmp

memory/1292-371-0x00000000757B0000-0x00000000759C5000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b9a6cb1311ee36fbdb19cc4e58136d7
SHA1 3c3732dd7c9cc9006d18357b17eaf7d8f2702344
SHA256 eed8adfa333c6cb10a08f11de650c9ffc6524a3f93740fc6ef66a439bd8cf0a5
SHA512 42cf295708826d3fc16440265abad3160cae3b32f3a94cbede0575e3bfab29e9a64e09042d44334a7659a00969f3cb45733b6c17af799777de61f8ca1ecc012a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 4a5a6a87a19b5d2294ebf7273ab45573
SHA1 ba14af46d8a6c5f8f34cfa2449b04b110f5407b0
SHA256 e6344e3e4b21bd3019c32be8ff7126f6d07c8b1e9c5d40598c9a980f4f600366
SHA512 42f407e684d42b29a2161bcf7c819612a2d1f6ee235b91016b44e8ee9e896904cf646db4a1b2f76ee75f6cf7fc8059fb68732a527d6e44f47cf9a94586060e27

C:\Windows\windefender.exe

MD5 9c3b3a98fd870363f69e11b66a6f90b8
SHA1 6a12b5a19bdcc480cbfc83e55668cb398b965937
SHA256 72d76d5afd7719696b1f96002ef6ca20e0b43b2cdfe42d87162d9901675ade15
SHA512 2b400d8d38ef3e0d7690134b9289ebdc912cf4f5205c2895d97b115e41cb029765d24676a809e389a1ced93e2574c8e69b462e5f1595e58dcbc0e45e4706a949

C:\Windows\windefender.exe

MD5 eddc6f06b5ef409767af4e0a130b87b9
SHA1 04ddc8d8306d2408fd2c0ffffe78c2e47e56ee44
SHA256 1cbd4330ebae855534fb2914b19a639d709b555c4cdd8789752d2e8265ddba23
SHA512 271cc91edea6e64638c696a85c88bba6fc5a76b50a31e399be81a8e329588d90cc4cbb068cf43427284576d27bcdf37f0faa98d3d48fc33879fcd66f88fd1950

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 04:52

Reported

2024-02-23 04:55

Platform

win7-20240221-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C5D6.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with Themida

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2D96.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2D96.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\2D96.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C5D6.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\68841b03-089d-42ba-93dc-578fb8c6266d\\146C.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\146C.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\2D96.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240223045346.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\C5D6.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\cmd.exe
PID 1200 wrote to memory of 2936 N/A N/A C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2936 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1200 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 1200 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 1200 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 1200 wrote to memory of 2636 N/A N/A C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2636 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2028 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 876 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Windows\SysWOW64\icacls.exe
PID 2028 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2028 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2028 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2028 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 1200 wrote to memory of 336 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1200 wrote to memory of 336 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1200 wrote to memory of 336 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 1200 wrote to memory of 336 N/A N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe
PID 336 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 336 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 336 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 336 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\2D96.exe C:\Windows\SysWOW64\WerFault.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 2368 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\Temp\146C.exe
PID 948 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 948 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 948 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 948 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 1840 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe
PID 948 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\146C.exe C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe

"C:\Users\Admin\AppData\Local\Temp\078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FDCF.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\146C.exe

C:\Users\Admin\AppData\Local\Temp\146C.exe

C:\Users\Admin\AppData\Local\Temp\146C.exe

C:\Users\Admin\AppData\Local\Temp\146C.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\68841b03-089d-42ba-93dc-578fb8c6266d" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\146C.exe

"C:\Users\Admin\AppData\Local\Temp\146C.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 336 -s 164

C:\Users\Admin\AppData\Local\Temp\2D96.exe

C:\Users\Admin\AppData\Local\Temp\2D96.exe

C:\Users\Admin\AppData\Local\Temp\146C.exe

"C:\Users\Admin\AppData\Local\Temp\146C.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe"

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe"

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe

"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe"

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe

"C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1472

C:\Users\Admin\AppData\Local\Temp\ACF3.exe

C:\Users\Admin\AppData\Local\Temp\ACF3.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\B186.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 128

C:\Users\Admin\AppData\Local\Temp\C5D6.exe

C:\Users\Admin\AppData\Local\Temp\C5D6.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240223045346.log C:\Windows\Logs\CBS\CbsPersist_20240223045346.cab

C:\Users\Admin\AppData\Local\Temp\C5D6.exe

"C:\Users\Admin\AppData\Local\Temp\C5D6.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\taskeng.exe

taskeng.exe {424923DB-C27D-4073-87C4-CCF75E9CE67C} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 183.100.39.16:80 brusuax.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 172.67.139.220:443 api.2ip.ua tcp
KR 183.100.39.16:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
MX 187.211.34.223:80 habrafa.com tcp
MX 187.211.34.223:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
FI 95.217.29.171:443 95.217.29.171 tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 104.21.51.193:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 pimpirik.com udp
TR 213.238.183.73:443 pimpirik.com tcp
TR 213.238.183.73:443 pimpirik.com tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
DE 185.149.146.82:80 tcp
US 8.8.8.8:53 c1fdc400-9f9e-4801-9487-26196984c7c0.uuid.realupdate.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 185.12.127.241:80 trad-einmyus.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server10.realupdate.ru udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.96:443 server10.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
BG 185.82.216.96:443 server10.realupdate.ru tcp
BG 185.82.216.96:443 server10.realupdate.ru tcp

Files

memory/1412-1-0x00000000005E0000-0x00000000006E0000-memory.dmp

memory/1412-2-0x0000000000230000-0x000000000023B000-memory.dmp

memory/1412-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1412-5-0x0000000000400000-0x000000000044A000-memory.dmp

memory/1200-4-0x0000000002A80000-0x0000000002A96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FDCF.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\146C.exe

MD5 685962facc72ed816ebc86f021449044
SHA1 06459254112ad371328b0fc66210818ad5c048c8
SHA256 818e83a6f88f34e7dc343f267a30b651d578a9e9786c95bc2a76ab33d58f74b8
SHA512 d261caefbe9f4029733b2ff62e2dee9f993c4f6fbc794ac6fb4d9e6cec54814ff4ecd758809f79457c8665b61a1e72626e2acfe7b8312484890b274aaf48d004

memory/2636-26-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2636-27-0x0000000000310000-0x00000000003A2000-memory.dmp

memory/2636-28-0x0000000002530000-0x000000000264B000-memory.dmp

memory/2028-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2028-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2028-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2028-37-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2791.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar284F.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5e1c574131446374777ed8f372eba5b
SHA1 787a8e1d3fbbc03136bb6fb4ea7b3b9953852285
SHA256 8b77fca2ad5bab4058a1a8783148e1c8d2eeba44dd7f8976369d74d7cf279c2a
SHA512 fa3e1eecb9dd5a3b797298275530ee884e774d7f6fb8da6dd985b91e05a3bf2d2447d8d9a4b2a887711d6128ad513314cc5da2d7739e9d28045accc7db4535d0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18d78e60216de7573643278925520682
SHA1 4afd8fc3cd5289d85f2dda1fe0fec8561d1fd68e
SHA256 1fa3744bfb59d21248bb07b69692e923cc0471fe5cb70c0736146bba93142d0a
SHA512 87ea527fc2a9adf6a06f28e0715e521b50d2df273e620f9ed24e9c30ce8f8f9c750916d0167e6db3218a21489001a3aa01837879a6e0a9ad3d8e6c4201da47f0

\Users\Admin\AppData\Local\Temp\146C.exe

MD5 a4b0e8e15ccfa15e6271f2ccb0082a41
SHA1 cb345c8adb7fbe736aa6880c8fe081f5fc879845
SHA256 66e284bb40e54b6be4cb9a73f3c3e83e8f078aeeb68a251816b8c6aa4bcde2e1
SHA512 7bcd0bfe5943de9312d44c52277444f089a820d4b2a736dead3237687163bbeac71d7c34db5afd8594fe6b7e85216551d4f4dc52af174554cb10d483a1d5388b

memory/2028-120-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 5fe084e9aebe1edeecd06b950537ad93
SHA1 3f3a3c258c1a6a059ab593386c298528df513b23
SHA256 ae22d7cd31d2b260b18fd4b021442a65adc726d0cf3803206f175c5ade8cdb90
SHA512 bbcb8add857ddb48b19fb66f8c6ac31e2ffe65d406c952dad87ea31485023a484eb4b40a520756c0871d3cc4f9cb6cf31bc2f28344bed818d9717aa434c588eb

memory/336-132-0x0000000000C90000-0x00000000012A2000-memory.dmp

memory/336-131-0x0000000000C90000-0x00000000012A2000-memory.dmp

memory/336-130-0x0000000000C90000-0x00000000012A2000-memory.dmp

memory/336-129-0x0000000000C90000-0x00000000012A2000-memory.dmp

memory/336-128-0x0000000000C90000-0x00000000012A2000-memory.dmp

memory/336-127-0x0000000000C90000-0x00000000012A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 768351e7fb4e73a68d6128a4ab7ccc4e
SHA1 b2e42ae8d8f154800c6ade37ad6ce4e903da79de
SHA256 e1af5fed9e816a4f21c4f25e8d1388d8e8deac07c9cacd2889b749f2ec28a396
SHA512 76f96b1e6d962937822c05814c77ac8903ac612db07d8daa7ddb2fb7443e6151afc880daf5a8a3e42b4f3e8dc081f391cab3e8098fb4af8ac31ef81a66d20941

memory/336-139-0x00000000770E0000-0x00000000770E2000-memory.dmp

memory/336-140-0x0000000000130000-0x0000000000131000-memory.dmp

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 6d1b276f441f11b947447a88b7baf679
SHA1 8a398c876f5ba5cc5e790c11f7cd94eedc752405
SHA256 9122781445f758d5d9fcc9cac17083dca4a3c4264fe75a00fab37c9fdac0a5c0
SHA512 ef41356a99717337231fbe2f68a0e156ee03614ea9ac98420edc9875c72c65604772665bd8541e855a975444b7d9964c4b907c9f6ce10920c6a9cf48f1fddbaf

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 b63a27c8b67238f13e86df097bafd70f
SHA1 06d63899ea4b9d4aa573ef35f2e30f520977757d
SHA256 18b04ee8cccc1d5055fea2dbe652451404ea52e2c14a4fb6aa3f74421a87a9db
SHA512 63a16858839f5bb33328c2eea33e0ceba24ef05e7e6e16d361fc84082fd7dbd57b645a8b73c130a35d3644f50e5b1c62a29624c5695c8c92fffb5eef147f8253

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 ecb1ebf2aa233264950362c72e82843f
SHA1 9d1325b56bedfdb307888af9e242ea1092d96f6d
SHA256 c098d1f615c0ea0bd257065800b2c93113938fc190eabb1ca115f2a6f90c4eaa
SHA512 34da04b40e38718fd4554992b3941198f39328cbdefea057d75d7ae6c7866e373c0e7d08fb8f7a12665cda48d9c93f22ad9482a5b21aad767604af7720e4360c

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 323515279d10ba671b07b633c9de1ea8
SHA1 650333af968f413c8ec77716e3910ed0ddc44d45
SHA256 c167958e1422de7f195482177979283cc65e19ec406b5fe9085750b203bde3e6
SHA512 a8bc237f21a06e38989c1d21ebbe2ddd003e883408ba9e9b57c0ec425ca335e3b5314de248c2194c7350d693e1d9c0c003194bc455a5980351d027ed7c39aa47

memory/336-134-0x0000000000C90000-0x00000000012A2000-memory.dmp

\Users\Admin\AppData\Local\Temp\2D96.exe

MD5 2ad934fd537212cffab60e3b647812c9
SHA1 da68f5790326b7de32f7c7e592a263a400fc96b1
SHA256 3d2e675ef4985396cace0c5ddf5592091730e561a367af9c72ed206084b7007c
SHA512 68cdd4374f5ab6c13a802aec335e9eec998aadcdfc450d05520df2666063cb8be6f12d492f7757026a0216a7bb56756557cfc63801afed4b3faeb0d0a96acc66

memory/2368-142-0x0000000000220000-0x00000000002B2000-memory.dmp

\Users\Admin\AppData\Local\Temp\146C.exe

MD5 7029a924a18dc87f591798819a178d47
SHA1 80b78f4f422b1dda5a89f9ab3928a8718edd8f5a
SHA256 5e8845da8cb36aecc3b0e49fa46c5091f586429e12e3ecb24a048855ac6b09d4
SHA512 98a25d005b17c5334c5bcd0a1bdc2ed214817bb3dc1addc14ae8154370e50e3fa13400ce9baa738737b94be9f1d1b8d195302d142a7d843c4649d5228c4c9737

C:\Users\Admin\AppData\Local\Temp\146C.exe

MD5 bf03961a2f014eab5b4125588acc7201
SHA1 921571abf2f5ae7fd824c8d9de76dc1f3ef7a3e5
SHA256 3232d9774d10ddd4ce343344a6c04cdfaf11544547dac4e2dd173915ae47db03
SHA512 119b11ed89eca9184b6167213811a23d7506785bc98b83fe3728566be6b31c3813cafc7a7d12e713085784d284271088cd994a770272615234c163154485cd4d

memory/2368-143-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/948-150-0x0000000000400000-0x0000000000537000-memory.dmp

memory/948-151-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 c1a837e7fe0cd4bf1d70c7b4d8844d55
SHA1 b9b2d408095400ff0be067d8c6eed6ba0312ef3c
SHA256 0e3dcc979a1e43003bdc7253cb4094c0385d2099c14dc12a4e85fded6f76dc97
SHA512 720c2aded6054feee530553c84ce238ef4952ce2b622917c840ffa2a937f77cfe2ba55a6212af0a650f7f8286d30088ec385de584e3fe1f4b2ca7901136d16a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 671d7267e8c1804a283ef61ef220a76d
SHA1 c060d6f2b28471a174a0f18b0af1c99e67482fba
SHA256 c9e6ef03b138b1a84f68646fbc6c3da88e709948237a520b3d0e74ffba860ecf
SHA512 838c46a3d88f2c27a7ba1538326a38ab06ec82ef2516ac7f671c74ca93cf69255971e5e8ef3e3e6c97a14da816d96ee52b017c4d17dcfcfc91a8386ad8b79eca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3dd301a32f61f394f0299a96eeb2ba87
SHA1 1c4b8ece5245ca559cff6fb243460b5cd3765f8b
SHA256 aa980a54e95976dc754096ef1440f06800806eadf00e8b01be16592015549e02
SHA512 ee08f864abad6b45d8af4c5da22917b4c73193a4da21604f2a6d9db23ab96c511d88e35713a863caf49c588646673919aad35eefc2dc3383e0bc4973e4229986

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 15ff235a1a75433357ce4e6a69f41451
SHA1 07d005bdc6a763572be78ab3945453ae3a81be30
SHA256 1f0b8f9be9c3dd13c249758f6b6fc374ddbb4df367fdf92256f91e32db9ace25
SHA512 7191306ccdd0f700d4052f54f9aaa9f20257ae0ab2cd41c090d3c73479e565c679d9a7ae2c9146105cdeaf48c885e01445fa63a4180c16195a5c774a59d55f71

memory/948-165-0x0000000000400000-0x0000000000537000-memory.dmp

memory/948-164-0x0000000000400000-0x0000000000537000-memory.dmp

memory/948-169-0x0000000000400000-0x0000000000537000-memory.dmp

memory/948-171-0x0000000000400000-0x0000000000537000-memory.dmp

memory/948-172-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 81832c48cffd651f25f5db44d5178382
SHA1 e7204724086330ff089257879412b3381d27a5d5
SHA256 3d55e3daf8f69d99c43235832c82e954a089e59fb2600f073e338c2bc9ec4282
SHA512 b3f93e58f83d0b86eb078c85512b6735dce96d7f555eb184754085813e2d4d56bb37727566bfda576ac274aae2008746e0ad07d49643cff4d454845a28dfcb5d

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 3e727bfadc020722402f68c2bfa97978
SHA1 bbd3db258ecc2a0bae7afa9e7b0568173783fc3c
SHA256 3de9537bcc3cb6fdf65f77688065b26a82d5ea0fc2bfe32e7f5b8b829c99a96b
SHA512 433244f005c0306e31788d185c8a3f58da9cdef608b516d1f85914a862fa57d99bd7e55fb2ae86ddfba4e967c01967ebf3504ef841e265c4b97acb35382d234f

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 3077b6d44753596f1939e0a21265119d
SHA1 f2aa2b6e24bec0d31a233fc3987159ae4b3fca51
SHA256 befddbe7f94efe48ecdf3e7e31197809e186fba5525b966af5f4a4cf656a5be9
SHA512 8a57a69c3db4727f6d0527b46ac262ad6f1ae72e6db2950b8823bb1c0e7275e4ea6e064aa6497b21e7f26925d8ea09eb9774fc12eca837247206634eb4ff2874

\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 6d29149d87dde5efea55b229a8a41d7f
SHA1 2a7c929a307616a4b87b619b602e37af13cd4b7d
SHA256 403caf708b69e5ecbc5a1c2d699769e920ca1d27d43ea8ecda13484435d9c934
SHA512 025ed684275c983ea88911884016fc5b77d54fb4457eb9e14ccc1649870e7f468071f9c71222ba16cbed2cb7ac21e776a1331d7d978a61023be8aa9181ea5720

memory/948-185-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 c4dcf6d8d3b83e4a348fb34486d1d0e0
SHA1 e8ddb2c0def03638886b191bd6f0565c50f9a148
SHA256 e6a9f7cf4bd6578f3dac33d091e535c37bfaf6c6a61e871f67f08994c32fc66b
SHA512 4e8f4841a479c21a1889cf4445281727a061bd0b8a8b7f8d23dac8ec5ee3ac999199efddb25cc58c1f2a1ce1b62ab779f245c6fd357cf45fb6e84ca5cda5e6d4

memory/1048-188-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1840-189-0x0000000000530000-0x0000000000630000-memory.dmp

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 c6d3d647baad8a5b93b81d2487f4f072
SHA1 e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA256 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA512 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

memory/1048-192-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1048-195-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1048-196-0x0000000000400000-0x0000000000649000-memory.dmp

memory/1840-190-0x0000000000300000-0x0000000000336000-memory.dmp

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe

MD5 7ae8a1741cb1703131a0a3707e9440d7
SHA1 fb88a37fb6f2f9723fc56e04fd0a0e18498fddf8
SHA256 e6084f13e5225b3aa54fe56a6597af7538db0f6f466b0050c3977d49ceb2520e
SHA512 f7cf3a5a6ad7e95518e5c7fc8e1dd2643722199d0af2ef8e89824ba40d63598262e86cf6825d55d0d283f444abb6c8204e51f052c868507a6141a8aafd36ecc4

C:\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe

MD5 f96042a0bc1e250c882d4ffb90e4195a
SHA1 394e98400d4ae2ac4082fbc04e43326a22310c18
SHA256 cb70a4cc740556517bddc67b1d48e058b447e505bfddc329bc4e3f0d87595b32
SHA512 0b4fb325080715ba3919a914f7fc0aaa97eecc150d2bb55613c519bdea34130fde0ef6185909bd85da32be3d4e8596d9bb5f63c129e74509a537170f02513796

memory/948-207-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1168-333-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/2144-332-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1168-334-0x0000000000230000-0x0000000000234000-memory.dmp

memory/2144-339-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2144-336-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2144-341-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2144-342-0x0000000000410000-0x0000000000477000-memory.dmp

\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 87342935b3fbca51d78a7f633a12adbb
SHA1 c8381e314e0babfa2310da0f3d49cf5894e415d6
SHA256 5a92e92544d124e744245fb596c107b16a6602224c5685446ac0568787787673
SHA512 d87d3eb542630cca309c7b1eaaf519938df42c981a766c22f5328f57181b0ed945b3884bbdf745da32431536162f5e214dcf549cdd038f081f324cc91230384e

\Users\Admin\AppData\Local\5c438158-3a6a-4d3f-afb8-a4843ad1058f\build2.exe

MD5 30ebdc3ef63e5216dc2c6a00ac8d66cf
SHA1 48d251671952c409d8517888d7e2efa0f921cbbb
SHA256 920e9a422399428b5b507861dec8f5bb59fa3a99ee5257406d0f198e36f6eccf
SHA512 3c20edfc423d0a048234393addf7ae6e31a3a546d0096336111f25068d5a8a271c9789d6d07785045007464e545a97fc696a005334c5e4126fac6bbed33a7b25

memory/1048-349-0x0000000000400000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ACF3.exe

MD5 8c2a7885ff8fb497443bb0cedf6c934d
SHA1 be64cdb1876f4aad155b8d79cb3222df126aef62
SHA256 576a632aef27ef960bbf4250a24d0cc91c94c2e4d0e27cb305015245dbe56d4c
SHA512 aa02e6f8cf327677d25c36d43f788c8d4fe6b63cbfa642ba50261923ed476e06e661f0905bcf92460da9b5cedcab1bd3c732008032e5c3cdbda140201578a8ac

memory/2232-365-0x0000000000F10000-0x00000000019E7000-memory.dmp

memory/2232-371-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2232-374-0x0000000000F10000-0x00000000019E7000-memory.dmp

memory/2232-373-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2232-376-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2232-378-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-377-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2232-380-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2232-394-0x00000000770F0000-0x00000000770F1000-memory.dmp

memory/2232-396-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-401-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-407-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-418-0x00000000770EF000-0x00000000770F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d5e898ecb9c044c557bc3a728e08eb7
SHA1 4883456135f23c07be1ecf8c255f6aa203d6ff44
SHA256 44cec56c423a5beb2b1e234890826587ee7009c2c75e039038860161e74a49b7
SHA512 9326276afa675adaa8039f08fe5de0c3c67c84434a130bb2269be6288b8fe77707c07858b6c8e37ca16518fb926ed1b97d67809a300f1548484f6908a3082bde

memory/2232-434-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-439-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-453-0x00000000770F0000-0x00000000770F1000-memory.dmp

memory/2232-459-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-467-0x0000000000F10000-0x00000000019E7000-memory.dmp

memory/2232-468-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-475-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-484-0x00000000770EF000-0x00000000770F0000-memory.dmp

memory/2232-485-0x0000000000330000-0x0000000000331000-memory.dmp

\Users\Admin\AppData\Local\Temp\ACF3.exe

MD5 745808f10225d6c87d79af17ba18841a
SHA1 271cbe01cdd21a82927eda3abbf0312986bb533c
SHA256 dc9758dbe01c3c60c9d18205db786101dd2e850300f7b2e699f9c6115040d9eb
SHA512 5c2e4b9b5b2dbc26e2ca9961331aacd269ebccbed3cd1cf83502022984abc436c9e06dc32d145c97346cc7c3bbc54894738bd8f70694e24b668bbd69307efe6b

\Users\Admin\AppData\Local\Temp\ACF3.exe

MD5 0af59241e3a21cb37e3fe3ea4f6dcce0
SHA1 5fef29f67c168103abeb576eca5c426f28450619
SHA256 9ae86776749568c316a993982774fc9aaefd816825bc39dcb568215b22c99e88
SHA512 d283be11d08836ebdfd6633a0620a92a361d68f8a509d1857ccf72021595fc332d66d62e1916eea12d8f8d1025e3d758aaefbf54864ed10554fc1b3dbb68a690

\Users\Admin\AppData\Local\Temp\ACF3.exe

MD5 2b2210c0ed5d25afb95b264f9fc93151
SHA1 c5e95196128b3a7095092cd439a5cd23cde2773a
SHA256 3107ce443a585cc4c6cb41ea600b2d44979fdf8cfc9a4aa4475ccf619da74aca
SHA512 e821e6aaa656c36bb7843af8b7cb78ebd910c10de08d5ad0c366baa2cfc275602e92dc4cf44f4ed53e74a1c9f5ff87ca7dafd10f0b279fdd84acdbcb281e3c46

\Users\Admin\AppData\Local\Temp\ACF3.exe

MD5 ee8925b7435e3bb704aad370d5863ef6
SHA1 d35617751583b1b339e08e52436ecb38b3bff43a
SHA256 394411b715f701667eb7c49fdffe663a970659591617f65196fae79d2f2c1ca4
SHA512 c21acddf4932557989d65d7be220185555b4dfadf46d0b6c5c0a9237eda72d52610ff16702fa5c0c49d29e8dc2c764a6a224e06f47e4e710f06ac23b0b13fd96

\Users\Admin\AppData\Local\Temp\ACF3.exe

MD5 0f61e8424b77cc8352039fab64ec4fe5
SHA1 f8f9f32186e3cb11af983859e5c66d5d0d057fda
SHA256 bbe7e825f71ca71fba5acd71d9e329e4829ad95a1aa729b64fd7e11ddc670e9c
SHA512 0aae521d1f35fc574634b76cecfe427d0e3c1ceca0134c5c583f214a6d550e84cc342eaa21a799b8c39cc3a81f4e5ceb44913a16d80c86d7ecb20f35ca472daf

C:\Users\Admin\AppData\Local\Temp\C5D6.exe

MD5 fd29754d9a9328b0b882cbec16f4b95d
SHA1 14ed33fa9c1b37cb57d1f27988ce1d594ac719bf
SHA256 be70ebde67cfd2481d1a6e7575982d550ceccd8b5f08ccf06a3e9bca60830407
SHA512 d44c57eeca9026e062132bbe609a21e3ebb6a039e854f1176c178a0bec03b94c0e78fceaf16f9f437c450308a3dd01c5ef3f390a9a30ced358fbddcfc9499f88

C:\Users\Admin\AppData\Local\Temp\C5D6.exe

MD5 0cdbb24a52a373c0ee1a04f4e069ba2c
SHA1 b6d1e9d8e9a97236d94d5d815741944d9b00f4d6
SHA256 8a099fca8c250898ea43dece3be0e90500c0ac002a855c31b140ec64ed8bc81e
SHA512 8536295a22a4f7662e81d4f7bc0cef25b7ee3391d58e16496a8c1ad075c9a1fb77e18a78b5c4e924baa20c218f365fccede9611ddcb782c9236dc3918ff82bab

memory/2948-499-0x0000000004100000-0x00000000044F8000-memory.dmp

memory/2948-500-0x0000000004500000-0x0000000004DEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C5D6.exe

MD5 65ed47d6dddd3d99c635de822c03ddd5
SHA1 82eb91eae28faf7c5c072c5ca387dc2d395dfb3c
SHA256 a51b05ed4bf6d64fd4c843cfac7df119712f1e1771113c7885811470d24f63fc
SHA512 664b8d136902d88c8cfac377e99862c7f74f13bfaa6a3700410c0548710f37fbd8d39b9e492d561483f176e53707403c7983f212549c3af0fa19684b1de7ed85

memory/2948-502-0x0000000000400000-0x00000000026B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C5D6.exe

MD5 7858a395575e96624c6c48744938ffc4
SHA1 885ab0414cabbbe30921daf9a75de436e13ba62e
SHA256 7f74673a027de5036e37947711604edab9c612d85ebd8c17557d8de55fcfafc4
SHA512 c40b4e05402c75742352dff510cd27fce3d6ec89fb820c93a1514506545afb77246210733a11faa3035d57fa5ea7adcb8b1043e9cae3090b171871d9480e8f98

memory/2948-506-0x0000000000400000-0x00000000026B5000-memory.dmp

memory/2364-509-0x0000000004120000-0x0000000004518000-memory.dmp

memory/2364-510-0x0000000000400000-0x00000000026B5000-memory.dmp

\Windows\rss\csrss.exe

MD5 adad436121c7328c1f8e309815eda05c
SHA1 28da21e65f61fe409b3c3dc6b8c581967f12c1e8
SHA256 acefc7b907a45be431902f82a41c0260a4fed5376e40e2690a4f6e3f071efce6
SHA512 e91e64bd3d29010dad950e3196380436f6887fae6bd09a0db65987e139514f92ebc1f494aff54582aabab55dcf84fa6873df2e0d0d2fc348868fa694155c9084

\Windows\rss\csrss.exe

MD5 627d759908fd5263616970d2e95e8c5c
SHA1 652b8997001bc66be3f131c4f69d396d4b98e41a
SHA256 85a6ca2c2388112de17fa743a240346c6dfa745e4032602da5b8d4cf927fc88f
SHA512 190042d4678687cf97ee8dd11f867ee83a44ccf0c160838c7949b8b636a32e480b6e50b18106f33e24d8d78f9bdcb9fa634c9d5e4d90e50a23fb42b7cc0d22be

C:\Windows\rss\csrss.exe

MD5 a65d7fecc1b165ad67d278e6ff06d887
SHA1 7b4ac520b37c139d7cd97f8a099ccf4491333b3f
SHA256 2aaa8c410945b70628d4a9cfd5c8d60321ce4030a83fecc8d0a48139b252af5e
SHA512 c20700147697b19f458f1533b21927fd8045d720510f0cae6faddf268bd4ee05a0a10d4a02d4b60ef1c8cc6a6040603357de9dac8b7e1dd7deb02159395f0d55

memory/2364-520-0x0000000000400000-0x00000000026B5000-memory.dmp

memory/1168-523-0x0000000003F50000-0x0000000004348000-memory.dmp

memory/1168-525-0x0000000004350000-0x0000000004C3B000-memory.dmp

memory/1168-526-0x0000000000400000-0x00000000026B5000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ef7f5ac76ba5b88cb6ecbd0991fe9aac
SHA1 2f975baba9998b60323e36a7815bc4d1be17ef85
SHA256 c4ea7c431ae90ec1ed3cfa4c5d3c7e21f0e1219a63edc56817650f34d4a9b8c7
SHA512 0023000d855fd10b2303ea88b7f4b4611ebbf7c23f60b7ce7afb110ff7364992e6608246d33bfde4aefb1d68ded8986c12f62d0fd34da1c4fdc84cadf6a613e9

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 a6297d6dbfa1876cff15c8d4bc38ab9f
SHA1 d6f2cf946e27dc65f0c08d19b09989a8c847f9a1
SHA256 544107147b01bbeb8fa7406499c077740f90dc655da169e8de67eb04cb81f987
SHA512 86acfbf22f60d4b55ce289547750af0b92178d082dc60672d0a6c49b042631362a7df6cf615a10991cfe8fbf5c35be27554048feccb1bd590039f0291b50936d

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 ea8ee5be5eebfefd45375ccd0c9e5a2d
SHA1 4ec4210c6c423ec4aa061bf240d4fd4f55aec19d
SHA256 d37239b4e83561f2d54de3d9b7bfce16b5bcf25a2091be4622db6c54a96770f1
SHA512 b9cf1c074ae591034b7a9e6fe3d2e716bcd0cd2a2d04aacdf4bde8da9b0702ede9b4e5e6edfa6de1d249e29b870e9fbd4cc047605691df86e6c9129d1ca1221a

memory/1948-533-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 c5d198ce3ab65b5f188687d6a1f1fd24
SHA1 55f4eb28e98d1bea7a768e9988c98db45b7fcb84
SHA256 d2db0dc8bce5462d410f8c3389350baa260a65c094314150e8615a2c9206b4da
SHA512 ac9f8d380015fdc759f7652c23d65eedcbcdf246ed6e86f008b5d50a0cdb4c54a8bd7815d783e5de19601feaba904b4c2caa63542ca520b32ad792ee62514dbd

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 2cbdce5765067678d021ce0afc6a71ab
SHA1 565813cc7ea4a249d6cb35d25f848d88b2c066f2
SHA256 e37a63a4b98fb858b17a25b6e48c3f7104bd18ccf8a59ec98599e706e2488d8c
SHA512 6a3ddeca230ca8f7cc64c4c5f66b901d6c3e9f9ff7dac15f9794152237c68d3a75b80024e5e95e09e703d64620e9dc0135e1c68cdc2af940fe5a509fe4fd23de

memory/1948-547-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 0f1cac438a8525e7dd70c994b048c81a
SHA1 0e4e0b3f6746efb6fa2bf82894362f32950760c5
SHA256 12075d8061ee8918ad01ccad4e7af97cb45883355bc3cabc9e389e70908c1161
SHA512 8c0a5b5beec9aa2a54c3dfa8d5d3965814f3adef9d3f8ce21800bb378f90bd54070d6cdc0c3c20311cdcec808d1e1d91f6bc096c093d0932ebc8269ebb6ae35c

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 e26bcd07419d0714c00994a6cdbd573d
SHA1 1690bb05f9c5b1424fb2155c2a2ae09ece8aacc5
SHA256 7b5c83e777497bdd72340946b415d195ea831346e826a44a2d9ed13f79b7b36a
SHA512 22f6d8eb16238233b97bf7066fc5cc83fb1d2d275d5826873e1d270ac3e5e10e5b1c0e2f3c458315374c8142f60710084e4ecebc6a792bdb96b4dabc0e77c9db

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 713eddd573ba9e0f1506f8222dd95b3a
SHA1 19ef572d6c39f34b472832665d9279a291629856
SHA256 5fa0e0bfa5f92666832c4faaa248b594ad5f4f756993bc09322383d4745a8c8e
SHA512 f026658651aa02a4fe1e17894bbbc6ac44336ab0bc804e0ef2f44e3e0f393436434b32ccb0bb7e58fc8ea311e140f7172722e3f9cdaf6326cf39033f6a2c45dc

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d9ff574edddf89e14444ea7d500600d0
SHA1 f793492d151b71c3ad33e83602ebc9c686467b6c
SHA256 8c95d9720b718e4ac96626c8e9324010ac3fcc32463313a376f098125675290d
SHA512 7d5331f539ebdd96d2786065d40f0c6269ca303f2f3cb8c751f5e397694de8d946030bcd1fa59da8b73717b7c32282ab21cd0a4090145aee0214d2e4f7a8c968

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da3d4d0e85e9570a6e6c9d917e32b2f8
SHA1 8f291c99c58d3d3fe3cccd0d6a174a17fefcb7f3
SHA256 8065a40e668c2b0f9fffdcb508f3381aa7766658e7c2210a4bc3d617e9ddf4dc
SHA512 dac4c8b23e3060af9dfb0fc697a5c695fdc470f065ce3224b569baaa6a40b0e5a905395a28785fdb74816e56c827768930f7ac055527021693b11b281fc7efe2

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 aa25008004208fefaa652eaa6f9a165d
SHA1 749ee4b10989d2fc566c80b696d31bd15473dfee
SHA256 5cb873b11f4a5057fc783efd349094217c78b132e3d194eeea1bf54e0724d3bb
SHA512 ca495f1b37f5caa0149a99ac234a94461361ed8ecc82ff15f359f5713070dcc5579bcc1b65528e71343cebb064e7e28686a3cbc6cff9e992670ddf7fe5e49891

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 61350605145dd6149d79e76ebd1b0b58
SHA1 09f00ea3c06247143eb128f5bc6df2745a374c56
SHA256 4c5532c75e2dcd198ca6607cfe6a3bafb74b808a48eadbbd6170b2c271e00d1f
SHA512 7f25782d415093b0fe6f089423d413e6c6c1fa855a3dac6c28c4819b11444c81317d61eba6654b1e6f7bb6108273bfdca0026ded938a8b253082dc15945b981c

memory/2692-615-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/1168-625-0x0000000003F50000-0x0000000004348000-memory.dmp

memory/1168-641-0x0000000000400000-0x00000000026B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 b7ad43fc346ac188b1fc56be63d47722
SHA1 c8b6dac95874b07cae3aee361eb58a3af2b69279
SHA256 32246c650067181ae93b351b1aa6904ada6b309ebb8da61a894d597efed12f63
SHA512 c199d6931ba59a7d4e2acbd650619acf79333cbd2efbe0aa06e456859ef12317e20d4e06de2026d41cbb5fa99f0ffa6396d07ba96d87cb0ce9f55d4a0c48b736

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 1b493fc8c98c60a24b18fe1a3b815ee1
SHA1 5640115aeaf11f6b3791da6402894ad632825add
SHA256 80330ce08130ce9a46304724ce9d9f8080daae727252db18d9443a0511d3a017
SHA512 37693076051cd3e07d29d06d0c015afe472038c6e1663162a4bcf401fbe4687b91671dc202388433b2e27e45f4bb0a87d206ff6a80e5d2ccbdf6a4b6d445c9d9

memory/1800-685-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1636-687-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1800-688-0x0000000000400000-0x00000000008DF000-memory.dmp