Analysis Overview
SHA256
078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Threat Level: Known bad
The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
SmokeLoader
Glupteba payload
RedLine
Socks5Systemz
DcRat
Detect ZGRat V1
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Rhadamanthys
Glupteba
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
UPX packed file
Unexpected DNS network traffic destination
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Manipulates WinMonFS driver.
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Unsigned PE
Program crash
Enumerates system info in registry
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-24 15:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-24 15:38
Reported
2024-02-24 15:47
Platform
win10v2004-20240221-en
Max time kernel
219s
Max time network
208s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Rhadamanthys
SmokeLoader
Socks5Systemz
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4152 created 2652 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | C:\Windows\system32\sihost.exe |
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BA77.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DDDF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1658.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WBoot\wboot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\WBoot\wboot.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\225F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\35B9.exe | N/A |
| N/A | N/A | C:\Windows\rss\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
| N/A | N/A | C:\Windows\windefender.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\225F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\225F.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D7D.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 91.211.247.248 | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3592 set thread context of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\BA77.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 400 set thread context of 4152 | N/A | C:\Users\Admin\AppData\Local\Temp\D7D.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| PID 1848 set thread context of 4144 | N/A | C:\Users\Admin\AppData\Local\Temp\35B9.exe | C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\225F.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs | C:\Windows\system32\msinfo32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease | C:\Windows\system32\msinfo32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease | C:\Windows\system32\msinfo32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\IESettingSync | N/A | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | N/A | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\msinfo32.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EAB2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe
"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\90B7.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\BA77.exe
C:\Users\Admin\AppData\Local\Temp\BA77.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\DDDF.exe
C:\Users\Admin\AppData\Local\Temp\DDDF.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E264.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\EAB2.exe
C:\Users\Admin\AppData\Local\Temp\EAB2.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\EAB2.exe
"C:\Users\Admin\AppData\Local\Temp\EAB2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\D7D.exe
C:\Users\Admin\AppData\Local\Temp\D7D.exe
C:\Users\Admin\AppData\Local\Temp\1658.exe
C:\Users\Admin\AppData\Local\Temp\1658.exe
C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp
"C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp" /SL5="$A0048,4363644,54272,C:\Users\Admin\AppData\Local\Temp\1658.exe"
C:\Users\Admin\AppData\Local\WBoot\wboot.exe
"C:\Users\Admin\AppData\Local\WBoot\wboot.exe" -i
C:\Users\Admin\AppData\Local\WBoot\wboot.exe
"C:\Users\Admin\AppData\Local\WBoot\wboot.exe" -s
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Users\Admin\AppData\Local\Temp\225F.exe
C:\Users\Admin\AppData\Local\Temp\225F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4004 -ip 4004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 784
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\35B9.exe
C:\Users\Admin\AppData\Local\Temp\35B9.exe
C:\Windows\system32\msinfo32.exe
"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\LockUndo.nfo"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4152 -ip 4152
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4152 -ip 4152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 420
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 70.174.106.193.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| PE | 190.12.87.61:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 61.87.12.190.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | healthproline.pro | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 172.67.215.138:443 | healthproline.pro | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| US | 8.8.8.8:53 | 138.215.67.172.in-addr.arpa | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 188.114.97.2:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 188.114.97.2:443 | resergvearyinitiani.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 188.114.96.2:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | 36.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | pimpirik.com | udp |
| TR | 213.238.183.73:443 | pimpirik.com | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 73.183.238.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 188.114.97.2:443 | loftproper.com | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | asx.sunaviat.com | udp |
| US | 172.67.221.35:80 | asx.sunaviat.com | tcp |
| US | 8.8.8.8:53 | 35.221.67.172.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| NL | 45.15.156.174:443 | 45.15.156.174 | tcp |
| US | 8.8.8.8:53 | 174.156.15.45.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | checkpoint.up4download.xyz | udp |
| US | 104.21.60.168:443 | checkpoint.up4download.xyz | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 104.21.51.243:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 168.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.51.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.178.17.96.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 68b42b57-b7f6-40bb-881b-35144f338ef0.uuid.alldatadump.org | udp |
| US | 8.8.8.8:53 | server14.alldatadump.org | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.108:443 | server14.alldatadump.org | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| GB | 142.250.144.127:19302 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 8.8.8.8:53 | 127.144.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 188.114.97.2:443 | loftproper.com | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server14.alldatadump.org | tcp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server14.alldatadump.org | tcp |
| LT | 91.211.247.248:53 | cshworn.net | udp |
| IT | 185.196.8.22:80 | cshworn.net | tcp |
| US | 8.8.8.8:53 | 248.247.211.91.in-addr.arpa | udp |
| DE | 91.241.93.212:2023 | tcp | |
| US | 8.8.8.8:53 | 22.8.196.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.93.241.91.in-addr.arpa | udp |
| N/A | 127.0.0.1:31465 | tcp |
Files
memory/1648-1-0x0000000000660000-0x0000000000760000-memory.dmp
memory/1648-2-0x0000000002190000-0x000000000219B000-memory.dmp
memory/1648-3-0x0000000000400000-0x000000000044A000-memory.dmp
memory/3388-4-0x0000000002720000-0x0000000002736000-memory.dmp
memory/1648-5-0x0000000000400000-0x000000000044A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\90B7.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\BA77.exe
| MD5 | b196aee0a5e061fef0df919c7218d8f6 |
| SHA1 | c3e0cb601429a22ee3d636a21344c6d58b56b1c3 |
| SHA256 | 4010a68d26a450fc9ad24a82d72c10483690f67b3d9a592a156c0a6942f1169d |
| SHA512 | 2f5b631f2b0604720d3451c4470e9bedaf74a50a60918bd1a154470ed16ac2b07989894646663e75147c1930aa0df22d634358b5334615408607e253cced39f3 |
memory/3592-20-0x0000000000810000-0x0000000000860000-memory.dmp
memory/3592-21-0x0000000075080000-0x0000000075830000-memory.dmp
memory/3676-24-0x0000000000400000-0x0000000000449000-memory.dmp
memory/3676-27-0x0000000000400000-0x0000000000449000-memory.dmp
memory/3592-29-0x0000000075080000-0x0000000075830000-memory.dmp
memory/3676-31-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/3592-30-0x0000000002D00000-0x0000000004D00000-memory.dmp
memory/3676-32-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/3676-33-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/3676-34-0x0000000000400000-0x0000000000449000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDDF.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/684-39-0x00000000005F0000-0x00000000005F1000-memory.dmp
memory/684-40-0x0000000000660000-0x0000000000F0F000-memory.dmp
memory/684-41-0x0000000000660000-0x0000000000F0F000-memory.dmp
memory/684-44-0x0000000000600000-0x0000000000632000-memory.dmp
memory/684-48-0x0000000000600000-0x0000000000632000-memory.dmp
memory/684-47-0x0000000000600000-0x0000000000632000-memory.dmp
memory/684-46-0x0000000000600000-0x0000000000632000-memory.dmp
memory/684-45-0x0000000000600000-0x0000000000632000-memory.dmp
memory/684-43-0x0000000000600000-0x0000000000632000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EAB2.exe
| MD5 | 4c02b2e8beed76dd1a09a9ca69b42806 |
| SHA1 | 7f4d8f16967bffb93f710a13efcb231f53aa3c14 |
| SHA256 | 8e48cec9553839ea44224077e839cada345493c42a0d03607e85857462df89bb |
| SHA512 | 899a70afcf0f83e1d370547b8d96c4fc40aa10257d6ae1de8e8bcdf4ef56e7e2eca705230e9a87bcfd3b43ffe043193b13cc233a8c09ad95335529ecf81e4225 |
memory/3592-58-0x0000000002D00000-0x0000000004D00000-memory.dmp
memory/1352-59-0x0000000004E30000-0x0000000005235000-memory.dmp
memory/1352-60-0x0000000000400000-0x0000000003122000-memory.dmp
memory/1352-61-0x0000000005240000-0x0000000005B2B000-memory.dmp
memory/1552-63-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/1552-64-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/1552-65-0x0000000005190000-0x00000000057B8000-memory.dmp
memory/1552-66-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/1552-62-0x0000000004A20000-0x0000000004A56000-memory.dmp
memory/1552-67-0x0000000004F10000-0x0000000004F32000-memory.dmp
memory/1552-68-0x00000000050B0000-0x0000000005116000-memory.dmp
memory/684-74-0x0000000000660000-0x0000000000F0F000-memory.dmp
memory/1552-75-0x00000000059B0000-0x0000000005A16000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phf50y3i.5ga.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1552-76-0x0000000005A20000-0x0000000005D74000-memory.dmp
memory/1552-81-0x0000000006010000-0x000000000602E000-memory.dmp
memory/1552-82-0x0000000006030000-0x000000000607C000-memory.dmp
memory/1552-83-0x0000000006540000-0x0000000006584000-memory.dmp
memory/1552-84-0x0000000007130000-0x00000000071A6000-memory.dmp
memory/1552-85-0x0000000007A30000-0x00000000080AA000-memory.dmp
memory/1552-86-0x00000000073D0000-0x00000000073EA000-memory.dmp
memory/684-87-0x0000000000660000-0x0000000000F0F000-memory.dmp
memory/1552-89-0x0000000007580000-0x00000000075B2000-memory.dmp
memory/1552-90-0x00000000706F0000-0x000000007073C000-memory.dmp
memory/1552-88-0x000000007F810000-0x000000007F820000-memory.dmp
memory/1552-91-0x0000000070E60000-0x00000000711B4000-memory.dmp
memory/1552-101-0x00000000075C0000-0x00000000075DE000-memory.dmp
memory/1552-102-0x00000000075E0000-0x0000000007683000-memory.dmp
memory/1552-103-0x00000000076D0000-0x00000000076DA000-memory.dmp
memory/1552-104-0x0000000007790000-0x0000000007826000-memory.dmp
memory/1552-105-0x00000000076F0000-0x0000000007701000-memory.dmp
memory/1552-106-0x0000000007730000-0x000000000773E000-memory.dmp
memory/1552-107-0x0000000007740000-0x0000000007754000-memory.dmp
memory/1552-108-0x0000000007830000-0x000000000784A000-memory.dmp
memory/1552-109-0x0000000007770000-0x0000000007778000-memory.dmp
memory/1552-112-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/3412-115-0x0000000004F40000-0x000000000533F000-memory.dmp
memory/3412-116-0x0000000005340000-0x0000000005C2B000-memory.dmp
memory/1352-117-0x0000000004E30000-0x0000000005235000-memory.dmp
memory/1352-118-0x0000000000400000-0x0000000003122000-memory.dmp
memory/3412-119-0x0000000000400000-0x0000000003122000-memory.dmp
memory/2656-120-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/2656-121-0x00000000049A0000-0x00000000049B0000-memory.dmp
memory/2656-122-0x0000000074840000-0x0000000074FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D7D.exe
| MD5 | 5be46aeeae3571f97010a6599658e8f7 |
| SHA1 | a9930f8dc10343e922e66b4cd3cd89f27ce45564 |
| SHA256 | 4fc23d261873d255f0c86d3460c83099cefa03cc6bfd3505b5119c5b931b9665 |
| SHA512 | fcc27a88410f15b19b0349fb1efcae1bf077cb50afd2dc038dbdccf828379e4b823ee87d272d93b5af3cffff3fff83e08f3067b30de200ec4f32ed4254bf43e6 |
memory/2656-133-0x0000000005A40000-0x0000000005D94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D7D.exe
| MD5 | c216c91b76de2935dfbaaebb91510caa |
| SHA1 | 3315a9876db6acdf38f80746d6c5e2369d55e3d8 |
| SHA256 | c2c32ae662c78fff27c1002d69bd21c64a4934b2f7946fa2d0cf66343dbd2a4d |
| SHA512 | 49fd59e0c7cadde5254d3c054d7cf0e68f9a2197e056fe116da4cfcf92bf3957d997cbae0c137ae0995c1b6de92b4f03365d1d0905fb62ddd5e45026098f20f0 |
memory/400-138-0x0000000074840000-0x0000000074FF0000-memory.dmp
memory/400-137-0x0000000000360000-0x00000000009E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1658.exe
| MD5 | 8ae7cc1ef4f1d40c7c9971da4057c3e0 |
| SHA1 | 07727c3a24c7535000bd223e7c8fe8e4e749b418 |
| SHA256 | 61e3cd393587fb708017b9bd103dbdef9817e07daefb727164a5532ae3775445 |
| SHA512 | a0d7a3c33d8e266d410cb4db4e10d3679c8a9c2eb8a9ed144c3c6ae92dd7a35eb3d03c6c633bcb240121298cdb7f20d41c07b2e42e2b6eb28154804f47cd4a9f |
memory/4848-146-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp
| MD5 | 68b5435b6618aa82640eb05ba06ffc63 |
| SHA1 | c9ce956e7fe6ad5bb127acad6ec8bbde2dccefa4 |
| SHA256 | b38061ac87265174e7a4799555a51305351de9c8b1f420d6765914085699a2c5 |
| SHA512 | 95bd4fe5bca104ddf50e4b5933f9dc6f3b07a2c8d7b2b1779f4dc6a578b264bbb2ab4c12b9fa85b7971e73df3b476c0a5d15e8abb554d1446d58c3a835734b13 |
C:\Users\Admin\AppData\Local\Temp\is-BU8OO.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-BU8OO.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\WBoot\wboot.exe
| MD5 | a806fbd7a2cbbc2205fa9ab2a1a7dd9d |
| SHA1 | f793166c313738fad2f82e28664834b5993bbdae |
| SHA256 | 117b52c92dde952b53484ffda2ebaeab3879c4cd8c900673512aaf7251c55f64 |
| SHA512 | 0b7475fc32fd26778674082b626ba659ff8988d9294cdb3df770e59559d96f097ad79da6b17e4996f054f5e4f8c1192a653b852760455e6cede71920e591d659 |
memory/2908-224-0x0000000000400000-0x000000000078F000-memory.dmp
memory/2908-227-0x0000000000400000-0x000000000078F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\225F.exe
| MD5 | 3172411985e2fb51fd76d31bc7667eef |
| SHA1 | 0f52ec3d4c9f4fe8fdc5f2646faf2d0dff6f57fd |
| SHA256 | 255f64836d162c0b164d8abc069a6c481a2e50263c2e0c9d753ad899303663ff |
| SHA512 | 960bcdad82956cb5f0bbaab1caf6665802a5bd495fed182532bdba8d043d83a1ed04240cffbadcad0165376dbe51b74cde49e44cb9db434e9a5f56af47c8461e |
memory/4004-238-0x0000000000710000-0x0000000000760000-memory.dmp
memory/5068-249-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-250-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-251-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-256-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-255-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-257-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-258-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-261-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-260-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
memory/5068-259-0x0000018C29A20000-0x0000018C29A21000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8b236b5f8ee67ef898fbd47c6259aabe |
| SHA1 | e549394a6d5332561a71a6a356f32f34b100b6a9 |
| SHA256 | a74b6f3025017c202f6757b54db7212b0caec0ed72d6a59e7fa9ee0b404a1020 |
| SHA512 | ddb15159dc340b1e4139c4b1276bae68245ecdef39cfb23ec02dd1dfe95a7c22c27a4d5a910d1f149794682d0924769cb9640a93a0f04ffc250de321ac8eb9c1 |
memory/3412-281-0x0000000000400000-0x0000000003122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\35B9.exe
| MD5 | 450039a02217c53bd983eaf1fd34505a |
| SHA1 | 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda |
| SHA256 | d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0 |
| SHA512 | cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080 |
memory/3964-320-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0386a7850f54d94b8e2de7b6cbf495f1 |
| SHA1 | b0e2be802a967da809373ec6205ff4294db381ca |
| SHA256 | 31746026e18b2597195759f1a43d2ab1780738e8a8aa3ee220a426590758ae95 |
| SHA512 | 41da0f89110832d27c078894660e5bf14e00eaf2ba3b6692e928c7d51f5de0d4788b245b92686be9be21c4bbb99ca1a590b8d122474dfc27f5c6bda526bd0f05 |
memory/3412-342-0x0000000000400000-0x0000000003122000-memory.dmp
memory/1108-343-0x0000000000400000-0x000000000078F000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 831380f3bb36f9ac25ff88e2646198dc |
| SHA1 | 6ca6023c3451fbcc5801b3b824f684166841cf44 |
| SHA256 | 160ba239b3c55b2dab6fe92201c62dfbe66efa3f75cdad0d57d98376c39a7e49 |
| SHA512 | 042ba9e16fa6739d3e37f00f4759bfc50367bd299f521ec3b419f217feb6fb91cfeeb57686133ced990f82afeaf51d51dcabb24e9e6a748d02f1b2e82e20c2f6 |
memory/1848-372-0x00007FF758550000-0x00007FF7591B2000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7db5ce9e9926e8dd1165482c8bdccad1 |
| SHA1 | 9b008b2e3107d8829f3b3e5b737a56958e45e48a |
| SHA256 | fb03561413fdce4e21ca105167198c524bb932826408f716c217c043d0af6062 |
| SHA512 | f35ed436c1e3942b2f1c6f95acc580eaeda0ac056b7d26690bcf5911f91bab1796fe2ea88b7f4986b36f355975802ef0865d88348acdebe182c9202d39d1e935 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a865bdbf0b5a1001469a003cd1f3f47f |
| SHA1 | 10da1e7820af693405d3560c86d8b30f98f2a541 |
| SHA256 | f461d61dd8f5577ecf7a75f2e4b9a777db8927df4c90e820ed0ffbdc69d7b26a |
| SHA512 | 948b35273ac0dc7179f5fea1e0147755d5e6df6a949e7ea4a929ec1dff1a7b60b2ebeb0a2557a9f978afb122a9e8147b6131b5eb020c992ce093ea08e6ba22d5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1108-448-0x0000000000400000-0x000000000078F000-memory.dmp
memory/4856-449-0x0000000000400000-0x0000000003122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
| MD5 | 09031a062610d77d685c9934318b4170 |
| SHA1 | 880f744184e7774f3d14c1bb857e21cc7fe89a6d |
| SHA256 | 778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd |
| SHA512 | 9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27 |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/1848-463-0x00007FF758550000-0x00007FF7591B2000-memory.dmp
memory/4152-469-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4152-474-0x0000000000400000-0x000000000046D000-memory.dmp
memory/4152-478-0x0000000003F40000-0x0000000004340000-memory.dmp
memory/4152-481-0x00007FF8CF970000-0x00007FF8CFB65000-memory.dmp
memory/4152-480-0x0000000003F40000-0x0000000004340000-memory.dmp
memory/4152-485-0x0000000077120000-0x0000000077335000-memory.dmp
memory/4464-486-0x0000000000800000-0x0000000000809000-memory.dmp
memory/4144-488-0x0000000000390000-0x00000000003D9000-memory.dmp
memory/1848-491-0x00007FF758550000-0x00007FF7591B2000-memory.dmp
memory/4144-493-0x0000000000390000-0x00000000003D9000-memory.dmp
memory/4464-496-0x00007FF8CF970000-0x00007FF8CFB65000-memory.dmp
memory/4464-500-0x0000000077120000-0x0000000077335000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/1108-507-0x0000000000400000-0x000000000078F000-memory.dmp