Malware Analysis Report

2024-11-15 06:15

Sample ID 240224-s2555sge7w
Target 6958ACC382E71103A0B83D20BBBB37D2.exe
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Tags
dcrat glupteba lumma redline rhadamanthys smokeloader socks5systemz zgrat stone island tfd5 backdoor botnet discovery dropper evasion infostealer loader persistence rat rootkit stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Threat Level: Known bad

The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba lumma redline rhadamanthys smokeloader socks5systemz zgrat stone island tfd5 backdoor botnet discovery dropper evasion infostealer loader persistence rat rootkit stealer trojan upx

RedLine payload

SmokeLoader

Glupteba payload

RedLine

Socks5Systemz

DcRat

Detect ZGRat V1

Lumma Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Rhadamanthys

Glupteba

ZGRat

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Unexpected DNS network traffic destination

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates system info in registry

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 15:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 15:38

Reported

2024-02-24 15:47

Platform

win10v2004-20240221-en

Max time kernel

219s

Max time network

208s

Command Line

sihost.exe

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4152 created 2652 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\system32\sihost.exe

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\system32\msinfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs C:\Windows\system32\msinfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs C:\Windows\system32\msinfo32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease C:\Windows\system32\msinfo32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease C:\Windows\system32\msinfo32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\IESettingSync N/A N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" N/A N/A
Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\msinfo32.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3388 wrote to memory of 5016 N/A N/A C:\Windows\system32\cmd.exe
PID 3388 wrote to memory of 5016 N/A N/A C:\Windows\system32\cmd.exe
PID 5016 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5016 wrote to memory of 3852 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3388 wrote to memory of 3592 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe
PID 3388 wrote to memory of 3592 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe
PID 3388 wrote to memory of 3592 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3592 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\BA77.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3388 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDDF.exe
PID 3388 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDDF.exe
PID 3388 wrote to memory of 684 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDDF.exe
PID 3388 wrote to memory of 2352 N/A N/A C:\Windows\system32\cmd.exe
PID 3388 wrote to memory of 2352 N/A N/A C:\Windows\system32\cmd.exe
PID 2352 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2352 wrote to memory of 536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3388 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe
PID 3388 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe
PID 3388 wrote to memory of 1352 N/A N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe
PID 1352 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1352 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1352 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7D.exe
PID 3388 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7D.exe
PID 3388 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\D7D.exe
PID 3388 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\Temp\1658.exe
PID 3388 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\Temp\1658.exe
PID 3388 wrote to memory of 4848 N/A N/A C:\Users\Admin\AppData\Local\Temp\1658.exe
PID 4848 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\1658.exe C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp
PID 4848 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\1658.exe C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp
PID 4848 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\1658.exe C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp
PID 3964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp C:\Users\Admin\AppData\Local\WBoot\wboot.exe
PID 3964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp C:\Users\Admin\AppData\Local\WBoot\wboot.exe
PID 3964 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp C:\Users\Admin\AppData\Local\WBoot\wboot.exe
PID 3964 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp C:\Users\Admin\AppData\Local\WBoot\wboot.exe
PID 3964 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp C:\Users\Admin\AppData\Local\WBoot\wboot.exe
PID 3964 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp C:\Users\Admin\AppData\Local\WBoot\wboot.exe
PID 3388 wrote to memory of 5068 N/A N/A C:\Windows\system32\taskmgr.exe
PID 3388 wrote to memory of 5068 N/A N/A C:\Windows\system32\taskmgr.exe
PID 3388 wrote to memory of 4004 N/A N/A C:\Users\Admin\AppData\Local\Temp\225F.exe
PID 3388 wrote to memory of 4004 N/A N/A C:\Users\Admin\AppData\Local\Temp\225F.exe
PID 3388 wrote to memory of 4004 N/A N/A C:\Users\Admin\AppData\Local\Temp\225F.exe
PID 3412 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\system32\cmd.exe
PID 3412 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2128 wrote to memory of 3484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3412 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3412 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3388 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Temp\35B9.exe
PID 3388 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Temp\35B9.exe
PID 3388 wrote to memory of 384 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3388 wrote to memory of 384 N/A N/A C:\Windows\system32\msinfo32.exe
PID 3412 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\EAB2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\90B7.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\BA77.exe

C:\Users\Admin\AppData\Local\Temp\BA77.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\DDDF.exe

C:\Users\Admin\AppData\Local\Temp\DDDF.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E264.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\EAB2.exe

C:\Users\Admin\AppData\Local\Temp\EAB2.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\EAB2.exe

"C:\Users\Admin\AppData\Local\Temp\EAB2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\D7D.exe

C:\Users\Admin\AppData\Local\Temp\D7D.exe

C:\Users\Admin\AppData\Local\Temp\1658.exe

C:\Users\Admin\AppData\Local\Temp\1658.exe

C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp

"C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp" /SL5="$A0048,4363644,54272,C:\Users\Admin\AppData\Local\Temp\1658.exe"

C:\Users\Admin\AppData\Local\WBoot\wboot.exe

"C:\Users\Admin\AppData\Local\WBoot\wboot.exe" -i

C:\Users\Admin\AppData\Local\WBoot\wboot.exe

"C:\Users\Admin\AppData\Local\WBoot\wboot.exe" -s

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\225F.exe

C:\Users\Admin\AppData\Local\Temp\225F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4004 -ip 4004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 784

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\35B9.exe

C:\Users\Admin\AppData\Local\Temp\35B9.exe

C:\Windows\system32\msinfo32.exe

"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\LockUndo.nfo"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4152 -ip 4152

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4152 -ip 4152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 420

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
PE 190.12.87.61:80 brusuax.com tcp
US 8.8.8.8:53 61.87.12.190.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 healthproline.pro udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.215.138:443 healthproline.pro tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 8.8.8.8:53 138.215.67.172.in-addr.arpa udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 188.114.97.2:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 188.114.97.2:443 resergvearyinitiani.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 188.114.96.2:443 loftproper.com tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 pimpirik.com udp
TR 213.238.183.73:443 pimpirik.com tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 73.183.238.213.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 188.114.97.2:443 loftproper.com tcp
US 172.67.147.18:443 associationokeo.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 asx.sunaviat.com udp
US 172.67.221.35:80 asx.sunaviat.com tcp
US 8.8.8.8:53 35.221.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
NL 45.15.156.174:443 45.15.156.174 tcp
US 8.8.8.8:53 174.156.15.45.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 checkpoint.up4download.xyz udp
US 104.21.60.168:443 checkpoint.up4download.xyz tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 168.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 192.178.17.96.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 68b42b57-b7f6-40bb-881b-35144f338ef0.uuid.alldatadump.org udp
US 8.8.8.8:53 server14.alldatadump.org udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
GB 142.250.144.127:19302 stun.l.google.com udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 127.144.250.142.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 188.114.97.2:443 loftproper.com tcp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
BG 185.82.216.108:443 server14.alldatadump.org tcp
LT 91.211.247.248:53 cshworn.net udp
IT 185.196.8.22:80 cshworn.net tcp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
DE 91.241.93.212:2023 tcp
US 8.8.8.8:53 22.8.196.185.in-addr.arpa udp
US 8.8.8.8:53 212.93.241.91.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp

Files

memory/1648-1-0x0000000000660000-0x0000000000760000-memory.dmp

memory/1648-2-0x0000000002190000-0x000000000219B000-memory.dmp

memory/1648-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3388-4-0x0000000002720000-0x0000000002736000-memory.dmp

memory/1648-5-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\90B7.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\BA77.exe

MD5 b196aee0a5e061fef0df919c7218d8f6
SHA1 c3e0cb601429a22ee3d636a21344c6d58b56b1c3
SHA256 4010a68d26a450fc9ad24a82d72c10483690f67b3d9a592a156c0a6942f1169d
SHA512 2f5b631f2b0604720d3451c4470e9bedaf74a50a60918bd1a154470ed16ac2b07989894646663e75147c1930aa0df22d634358b5334615408607e253cced39f3

memory/3592-20-0x0000000000810000-0x0000000000860000-memory.dmp

memory/3592-21-0x0000000075080000-0x0000000075830000-memory.dmp

memory/3676-24-0x0000000000400000-0x0000000000449000-memory.dmp

memory/3676-27-0x0000000000400000-0x0000000000449000-memory.dmp

memory/3592-29-0x0000000075080000-0x0000000075830000-memory.dmp

memory/3676-31-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/3592-30-0x0000000002D00000-0x0000000004D00000-memory.dmp

memory/3676-32-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/3676-33-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/3676-34-0x0000000000400000-0x0000000000449000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDF.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/684-39-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/684-40-0x0000000000660000-0x0000000000F0F000-memory.dmp

memory/684-41-0x0000000000660000-0x0000000000F0F000-memory.dmp

memory/684-44-0x0000000000600000-0x0000000000632000-memory.dmp

memory/684-48-0x0000000000600000-0x0000000000632000-memory.dmp

memory/684-47-0x0000000000600000-0x0000000000632000-memory.dmp

memory/684-46-0x0000000000600000-0x0000000000632000-memory.dmp

memory/684-45-0x0000000000600000-0x0000000000632000-memory.dmp

memory/684-43-0x0000000000600000-0x0000000000632000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EAB2.exe

MD5 4c02b2e8beed76dd1a09a9ca69b42806
SHA1 7f4d8f16967bffb93f710a13efcb231f53aa3c14
SHA256 8e48cec9553839ea44224077e839cada345493c42a0d03607e85857462df89bb
SHA512 899a70afcf0f83e1d370547b8d96c4fc40aa10257d6ae1de8e8bcdf4ef56e7e2eca705230e9a87bcfd3b43ffe043193b13cc233a8c09ad95335529ecf81e4225

memory/3592-58-0x0000000002D00000-0x0000000004D00000-memory.dmp

memory/1352-59-0x0000000004E30000-0x0000000005235000-memory.dmp

memory/1352-60-0x0000000000400000-0x0000000003122000-memory.dmp

memory/1352-61-0x0000000005240000-0x0000000005B2B000-memory.dmp

memory/1552-63-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/1552-64-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1552-65-0x0000000005190000-0x00000000057B8000-memory.dmp

memory/1552-66-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1552-62-0x0000000004A20000-0x0000000004A56000-memory.dmp

memory/1552-67-0x0000000004F10000-0x0000000004F32000-memory.dmp

memory/1552-68-0x00000000050B0000-0x0000000005116000-memory.dmp

memory/684-74-0x0000000000660000-0x0000000000F0F000-memory.dmp

memory/1552-75-0x00000000059B0000-0x0000000005A16000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phf50y3i.5ga.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1552-76-0x0000000005A20000-0x0000000005D74000-memory.dmp

memory/1552-81-0x0000000006010000-0x000000000602E000-memory.dmp

memory/1552-82-0x0000000006030000-0x000000000607C000-memory.dmp

memory/1552-83-0x0000000006540000-0x0000000006584000-memory.dmp

memory/1552-84-0x0000000007130000-0x00000000071A6000-memory.dmp

memory/1552-85-0x0000000007A30000-0x00000000080AA000-memory.dmp

memory/1552-86-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/684-87-0x0000000000660000-0x0000000000F0F000-memory.dmp

memory/1552-89-0x0000000007580000-0x00000000075B2000-memory.dmp

memory/1552-90-0x00000000706F0000-0x000000007073C000-memory.dmp

memory/1552-88-0x000000007F810000-0x000000007F820000-memory.dmp

memory/1552-91-0x0000000070E60000-0x00000000711B4000-memory.dmp

memory/1552-101-0x00000000075C0000-0x00000000075DE000-memory.dmp

memory/1552-102-0x00000000075E0000-0x0000000007683000-memory.dmp

memory/1552-103-0x00000000076D0000-0x00000000076DA000-memory.dmp

memory/1552-104-0x0000000007790000-0x0000000007826000-memory.dmp

memory/1552-105-0x00000000076F0000-0x0000000007701000-memory.dmp

memory/1552-106-0x0000000007730000-0x000000000773E000-memory.dmp

memory/1552-107-0x0000000007740000-0x0000000007754000-memory.dmp

memory/1552-108-0x0000000007830000-0x000000000784A000-memory.dmp

memory/1552-109-0x0000000007770000-0x0000000007778000-memory.dmp

memory/1552-112-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/3412-115-0x0000000004F40000-0x000000000533F000-memory.dmp

memory/3412-116-0x0000000005340000-0x0000000005C2B000-memory.dmp

memory/1352-117-0x0000000004E30000-0x0000000005235000-memory.dmp

memory/1352-118-0x0000000000400000-0x0000000003122000-memory.dmp

memory/3412-119-0x0000000000400000-0x0000000003122000-memory.dmp

memory/2656-120-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2656-121-0x00000000049A0000-0x00000000049B0000-memory.dmp

memory/2656-122-0x0000000074840000-0x0000000074FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D7D.exe

MD5 5be46aeeae3571f97010a6599658e8f7
SHA1 a9930f8dc10343e922e66b4cd3cd89f27ce45564
SHA256 4fc23d261873d255f0c86d3460c83099cefa03cc6bfd3505b5119c5b931b9665
SHA512 fcc27a88410f15b19b0349fb1efcae1bf077cb50afd2dc038dbdccf828379e4b823ee87d272d93b5af3cffff3fff83e08f3067b30de200ec4f32ed4254bf43e6

memory/2656-133-0x0000000005A40000-0x0000000005D94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D7D.exe

MD5 c216c91b76de2935dfbaaebb91510caa
SHA1 3315a9876db6acdf38f80746d6c5e2369d55e3d8
SHA256 c2c32ae662c78fff27c1002d69bd21c64a4934b2f7946fa2d0cf66343dbd2a4d
SHA512 49fd59e0c7cadde5254d3c054d7cf0e68f9a2197e056fe116da4cfcf92bf3957d997cbae0c137ae0995c1b6de92b4f03365d1d0905fb62ddd5e45026098f20f0

memory/400-138-0x0000000074840000-0x0000000074FF0000-memory.dmp

memory/400-137-0x0000000000360000-0x00000000009E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1658.exe

MD5 8ae7cc1ef4f1d40c7c9971da4057c3e0
SHA1 07727c3a24c7535000bd223e7c8fe8e4e749b418
SHA256 61e3cd393587fb708017b9bd103dbdef9817e07daefb727164a5532ae3775445
SHA512 a0d7a3c33d8e266d410cb4db4e10d3679c8a9c2eb8a9ed144c3c6ae92dd7a35eb3d03c6c633bcb240121298cdb7f20d41c07b2e42e2b6eb28154804f47cd4a9f

memory/4848-146-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-K882O.tmp\1658.tmp

MD5 68b5435b6618aa82640eb05ba06ffc63
SHA1 c9ce956e7fe6ad5bb127acad6ec8bbde2dccefa4
SHA256 b38061ac87265174e7a4799555a51305351de9c8b1f420d6765914085699a2c5
SHA512 95bd4fe5bca104ddf50e4b5933f9dc6f3b07a2c8d7b2b1779f4dc6a578b264bbb2ab4c12b9fa85b7971e73df3b476c0a5d15e8abb554d1446d58c3a835734b13

C:\Users\Admin\AppData\Local\Temp\is-BU8OO.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-BU8OO.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\WBoot\wboot.exe

MD5 a806fbd7a2cbbc2205fa9ab2a1a7dd9d
SHA1 f793166c313738fad2f82e28664834b5993bbdae
SHA256 117b52c92dde952b53484ffda2ebaeab3879c4cd8c900673512aaf7251c55f64
SHA512 0b7475fc32fd26778674082b626ba659ff8988d9294cdb3df770e59559d96f097ad79da6b17e4996f054f5e4f8c1192a653b852760455e6cede71920e591d659

memory/2908-224-0x0000000000400000-0x000000000078F000-memory.dmp

memory/2908-227-0x0000000000400000-0x000000000078F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\225F.exe

MD5 3172411985e2fb51fd76d31bc7667eef
SHA1 0f52ec3d4c9f4fe8fdc5f2646faf2d0dff6f57fd
SHA256 255f64836d162c0b164d8abc069a6c481a2e50263c2e0c9d753ad899303663ff
SHA512 960bcdad82956cb5f0bbaab1caf6665802a5bd495fed182532bdba8d043d83a1ed04240cffbadcad0165376dbe51b74cde49e44cb9db434e9a5f56af47c8461e

memory/4004-238-0x0000000000710000-0x0000000000760000-memory.dmp

memory/5068-249-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-250-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-251-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-256-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-255-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-257-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-258-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-261-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-260-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

memory/5068-259-0x0000018C29A20000-0x0000018C29A21000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8b236b5f8ee67ef898fbd47c6259aabe
SHA1 e549394a6d5332561a71a6a356f32f34b100b6a9
SHA256 a74b6f3025017c202f6757b54db7212b0caec0ed72d6a59e7fa9ee0b404a1020
SHA512 ddb15159dc340b1e4139c4b1276bae68245ecdef39cfb23ec02dd1dfe95a7c22c27a4d5a910d1f149794682d0924769cb9640a93a0f04ffc250de321ac8eb9c1

memory/3412-281-0x0000000000400000-0x0000000003122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35B9.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/3964-320-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0386a7850f54d94b8e2de7b6cbf495f1
SHA1 b0e2be802a967da809373ec6205ff4294db381ca
SHA256 31746026e18b2597195759f1a43d2ab1780738e8a8aa3ee220a426590758ae95
SHA512 41da0f89110832d27c078894660e5bf14e00eaf2ba3b6692e928c7d51f5de0d4788b245b92686be9be21c4bbb99ca1a590b8d122474dfc27f5c6bda526bd0f05

memory/3412-342-0x0000000000400000-0x0000000003122000-memory.dmp

memory/1108-343-0x0000000000400000-0x000000000078F000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 831380f3bb36f9ac25ff88e2646198dc
SHA1 6ca6023c3451fbcc5801b3b824f684166841cf44
SHA256 160ba239b3c55b2dab6fe92201c62dfbe66efa3f75cdad0d57d98376c39a7e49
SHA512 042ba9e16fa6739d3e37f00f4759bfc50367bd299f521ec3b419f217feb6fb91cfeeb57686133ced990f82afeaf51d51dcabb24e9e6a748d02f1b2e82e20c2f6

memory/1848-372-0x00007FF758550000-0x00007FF7591B2000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7db5ce9e9926e8dd1165482c8bdccad1
SHA1 9b008b2e3107d8829f3b3e5b737a56958e45e48a
SHA256 fb03561413fdce4e21ca105167198c524bb932826408f716c217c043d0af6062
SHA512 f35ed436c1e3942b2f1c6f95acc580eaeda0ac056b7d26690bcf5911f91bab1796fe2ea88b7f4986b36f355975802ef0865d88348acdebe182c9202d39d1e935

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a865bdbf0b5a1001469a003cd1f3f47f
SHA1 10da1e7820af693405d3560c86d8b30f98f2a541
SHA256 f461d61dd8f5577ecf7a75f2e4b9a777db8927df4c90e820ed0ffbdc69d7b26a
SHA512 948b35273ac0dc7179f5fea1e0147755d5e6df6a949e7ea4a929ec1dff1a7b60b2ebeb0a2557a9f978afb122a9e8147b6131b5eb020c992ce093ea08e6ba22d5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1108-448-0x0000000000400000-0x000000000078F000-memory.dmp

memory/4856-449-0x0000000000400000-0x0000000003122000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

MD5 09031a062610d77d685c9934318b4170
SHA1 880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256 778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA512 9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/1848-463-0x00007FF758550000-0x00007FF7591B2000-memory.dmp

memory/4152-469-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4152-474-0x0000000000400000-0x000000000046D000-memory.dmp

memory/4152-478-0x0000000003F40000-0x0000000004340000-memory.dmp

memory/4152-481-0x00007FF8CF970000-0x00007FF8CFB65000-memory.dmp

memory/4152-480-0x0000000003F40000-0x0000000004340000-memory.dmp

memory/4152-485-0x0000000077120000-0x0000000077335000-memory.dmp

memory/4464-486-0x0000000000800000-0x0000000000809000-memory.dmp

memory/4144-488-0x0000000000390000-0x00000000003D9000-memory.dmp

memory/1848-491-0x00007FF758550000-0x00007FF7591B2000-memory.dmp

memory/4144-493-0x0000000000390000-0x00000000003D9000-memory.dmp

memory/4464-496-0x00007FF8CF970000-0x00007FF8CFB65000-memory.dmp

memory/4464-500-0x0000000077120000-0x0000000077335000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1108-507-0x0000000000400000-0x000000000078F000-memory.dmp