Analysis Overview
SHA256
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
Threat Level: Known bad
The file 0b31dc8d9eeaa4a6803873a6c1380c72.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba
Detect Vidar Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
DcRat
Detected Djvu ransomware
Rhadamanthys
Detect ZGRat V1
Djvu Ransomware
Glupteba payload
Vidar
Lumma Stealer
Windows security bypass
ZGRat
Modifies boot configuration data using bcdedit
Drops file in Drivers directory
Modifies Windows Firewall
Disables Task Manager via registry modification
Downloads MZ/PE file
Possible attempt to disable PatchGuard
UPX packed file
Executes dropped EXE
Modifies file permissions
Checks computer location settings
Loads dropped DLL
Windows security modification
Deletes itself
Manipulates WinMonFS driver.
Checks installed software on the system
Looks up external IP address via web service
Manipulates WinMon driver.
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
Uses Task Scheduler COM API
Modifies registry key
Creates scheduled task(s)
Checks SCSI registry key(s)
Modifies system certificate store
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-25 22:45
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-25 22:45
Reported
2024-02-25 22:48
Platform
win7-20240215-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1cf4e57f-32c3-4019-88f0-dbc6891395db\\84BB.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\84BB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C851.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
ZGRat
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\C851.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1cf4e57f-32c3-4019-88f0-dbc6891395db\\84BB.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\84BB.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2648 set thread context of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\84BB.exe | C:\Users\Admin\AppData\Local\Temp\84BB.exe |
| PID 2972 set thread context of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\84BB.exe | C:\Users\Admin\AppData\Local\Temp\84BB.exe |
| PID 2244 set thread context of 2284 | N/A | C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe | C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe |
| PID 788 set thread context of 1508 | N/A | C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe | C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe |
| PID 2760 set thread context of 2000 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
| PID 1248 set thread context of 2008 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\de-DE\6cb0b6c459d5d3 | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| File created | C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe | C:\containerProviderhost\runtimenetSvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240225224649.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Speech\Common\en-US\cmd.exe | C:\containerProviderhost\runtimenetSvc.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-382 = "South Africa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C851.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\containerProviderhost\services.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe
"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\6E2E.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\84BB.exe
C:\Users\Admin\AppData\Local\Temp\84BB.exe
C:\Users\Admin\AppData\Local\Temp\84BB.exe
C:\Users\Admin\AppData\Local\Temp\84BB.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\1cf4e57f-32c3-4019-88f0-dbc6891395db" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\84BB.exe
"C:\Users\Admin\AppData\Local\Temp\84BB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\84BB.exe
"C:\Users\Admin\AppData\Local\Temp\84BB.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe"
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
"C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 1456
C:\Users\Admin\AppData\Local\Temp\B8D6.exe
C:\Users\Admin\AppData\Local\Temp\B8D6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 124
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\BD88.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\C851.exe
C:\Users\Admin\AppData\Local\Temp\C851.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240225224649.log C:\Windows\Logs\CBS\CbsPersist_20240225224649.cab
C:\Users\Admin\AppData\Local\Temp\C851.exe
"C:\Users\Admin\AppData\Local\Temp\C851.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\DE51.exe
C:\Users\Admin\AppData\Local\Temp\DE51.exe
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\EDE2.exe
C:\Users\Admin\AppData\Local\Temp\EDE2.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {7FE3199C-699E-4998-9CDF-A768539BA244} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\2F75.exe
C:\Users\Admin\AppData\Local\Temp\2F75.exe
C:\Users\Admin\AppData\Local\Temp\34C3.exe
C:\Users\Admin\AppData\Local\Temp\34C3.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 564
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\containerProviderhost\SSJnjC24t.bat" "
C:\containerProviderhost\runtimenetSvc.exe
"C:\containerProviderhost/runtimenetSvc.exe"
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CCTxfaFxh3.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\containerProviderhost\services.exe
"C:\containerProviderhost\services.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 564
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| AR | 190.224.203.37:80 | habrafa.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| AR | 190.224.203.37:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 23.214.154.77:443 | steamcommunity.com | tcp |
| FI | 65.109.172.49:443 | 65.109.172.49 | tcp |
| FI | 65.109.172.49:443 | 65.109.172.49 | tcp |
| FI | 65.109.172.49:443 | 65.109.172.49 | tcp |
| FI | 65.109.172.49:443 | 65.109.172.49 | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 104.21.51.193:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 5a371fb2-b800-4e2a-8b52-a44f9fc24242.uuid.createupdate.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| TR | 185.50.70.125:443 | tcp | |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | server8.createupdate.org | udp |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.104:443 | server8.createupdate.org | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| IT | 142.251.27.127:19302 | stun3.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| BG | 185.82.216.104:443 | server8.createupdate.org | tcp |
Files
memory/2932-1-0x0000000000230000-0x0000000000330000-memory.dmp
memory/2932-2-0x00000000003B0000-0x00000000003BB000-memory.dmp
memory/2932-3-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/1256-4-0x0000000002510000-0x0000000002526000-memory.dmp
memory/2932-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6E2E.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\84BB.exe
| MD5 | 3d196de47911047d26c003e31a878038 |
| SHA1 | c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9 |
| SHA256 | 19b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a |
| SHA512 | 30871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b |
memory/2648-26-0x0000000000330000-0x00000000003C1000-memory.dmp
memory/2648-27-0x0000000000330000-0x00000000003C1000-memory.dmp
memory/2940-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2648-30-0x00000000034E0000-0x00000000035FB000-memory.dmp
memory/2940-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2648-36-0x0000000000330000-0x00000000003C1000-memory.dmp
memory/2940-37-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2940-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2940-61-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2972-63-0x0000000001B20000-0x0000000001BB1000-memory.dmp
memory/2972-64-0x0000000001B20000-0x0000000001BB1000-memory.dmp
memory/1952-71-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-72-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 610f387cecd6b98e4abcb72626ee7d13 |
| SHA1 | 791f01f69d1e025c15660cc87c6a2d332c16d1c7 |
| SHA256 | dd9c87c9d210b8dcb6f9d2b897c11b0a480b955a0aeaf4bb9b661f1bdc0604d1 |
| SHA512 | 97d58a6504e70c4ceb4f255c6327d076b8ffc017945a9a8474f1ece483a5326d572ef13d6e4e5ba6bc2dba4b9575f99085ca2af2dbabc375f6bf0e8bef554858 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 03fa66209b4cb101cc0ca864da3d5487 |
| SHA1 | 9b794bb5ad8c9b3110e47a8523fe9fe852de97a2 |
| SHA256 | bc77e3b84899b3f13f5fc75cc7f619a907504455937106d7e824920d6b0108d9 |
| SHA512 | 1449a85046331be1ae0d416d3cb519f9ae69d3c050b22b1174664ccfb4c7e8cab2bfb7b0352099bc3de10abfd9f5f5b84f947dedaa86dd79a7e81674092469c2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | ee838a25e9da12e2a5819cc7e940d21e |
| SHA1 | 2f6c9e7c286639e8a02f5c77089da35d03d2bc39 |
| SHA256 | 1b3833124a22415acee38345934fe8c65f17ec48b4d254388b11d30915823555 |
| SHA512 | f8f4e6705c009a7e3940e6e91b16726c649d67fcf7a45e0d1b02d8263ca52a1b21ed11f646dc7d23a87a7a3791688817914e86e1a44745bf16ced580e11b2d16 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9ebb75a2ee551a4cd3b5b7b39c3a8314 |
| SHA1 | 9396c3710604e25efec53cdb48e4bebdc2ddbe62 |
| SHA256 | 360d2ca65d4ff9c142c2bc0d1f7814c9847405f150a8e5cb8a2814bb6fac732c |
| SHA512 | 59854413e16a2480828c6fab0012652eb177d66d29a93fab1df8496d455686cb52ee3e6f0c759e151417b656d9466623b5382d2a81e269475d437032d7b7dd1f |
C:\Users\Admin\AppData\Local\Temp\Cab8C0A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1952-87-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-88-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-92-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-94-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-95-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1952-96-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build2.exe
| MD5 | c6d3d647baad8a5b93b81d2487f4f072 |
| SHA1 | e9c1105dc41f85d4f7e94d4e004f8427787c8802 |
| SHA256 | 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a |
| SHA512 | 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049 |
memory/2244-112-0x0000000000470000-0x00000000004A6000-memory.dmp
memory/2244-111-0x0000000000280000-0x0000000000380000-memory.dmp
memory/2284-110-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2284-114-0x0000000000400000-0x0000000000649000-memory.dmp
memory/2284-117-0x0000000000400000-0x0000000000649000-memory.dmp
memory/2284-118-0x0000000000400000-0x0000000000649000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarA67D.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
\Users\Admin\AppData\Local\786baa0e-1ea1-4bad-9bae-da8e1c27e104\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1952-177-0x0000000000400000-0x0000000000537000-memory.dmp
memory/788-227-0x0000000000C50000-0x0000000000D50000-memory.dmp
memory/788-228-0x0000000000220000-0x0000000000224000-memory.dmp
memory/1508-239-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1508-242-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1508-244-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1508-245-0x0000000000410000-0x0000000000477000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8D6.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/2544-275-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2544-277-0x0000000000ED0000-0x000000000177F000-memory.dmp
memory/2544-280-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2544-278-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2544-283-0x0000000077260000-0x0000000077261000-memory.dmp
memory/2544-284-0x0000000000190000-0x0000000000191000-memory.dmp
\Users\Admin\AppData\Local\Temp\B8D6.exe
| MD5 | 91044e59972a50c139e40982ecd634a4 |
| SHA1 | 36670182a5166f591780b98bedbef83bcac94950 |
| SHA256 | 7285d2b17ba50b7cce109b7699f0cdcdd6adc900db2bc2279e751beb06bbb2b7 |
| SHA512 | 93bc7fbf61afc7c42c1df62d59ed56e73eee4e06d518575633633211ede84be4f29afe240e417a2ca67a3fa5a26214d403d42257f1e612e24d40bea0803cfabc |
\Users\Admin\AppData\Local\Temp\B8D6.exe
| MD5 | 16d54f0d49c41790e1d265bc7452791a |
| SHA1 | 4f970896c8be729497106eac5c163321f1ba03f5 |
| SHA256 | 20554829d97eb199a690636c1646ef1cbbc6ca93b078f5eae8a1c284b98d6a40 |
| SHA512 | ca121507f2833d31405201ef320fc5aa969d02e17fd754c7b6b088be102dcf38141e39a7f5f9ada76b6a9cc015cd6126145b9cdf7c6380d065e84a72085f32e9 |
\Users\Admin\AppData\Local\Temp\B8D6.exe
| MD5 | 452d723c71b94983947183117a818966 |
| SHA1 | 4b2fc7a2d747355eabb97da3988e7daccf942933 |
| SHA256 | b26f5d92a5a9761ca3f6935b55716e97ac3d59c31672b94660e52f74b2a043f6 |
| SHA512 | 8c5f575e163eba6caecd6dc4062eca95756b46be6949910666ab0875f2f8fe4a4b8bf3d46213633d12bc8b44bac7a38598a5abd68c049dda713165bb46659558 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ad6566517eb3e9171d634756fbf3b078 |
| SHA1 | 78705160e78e929c0e09232faa819175a1063c87 |
| SHA256 | a99f05d8aca8b5c545166628141a585021bc5275d4686eb2ac03a7445df5edb4 |
| SHA512 | 3d42510ccc7a3b144da47849943f4a89f02ad28da6e733ecce52893dfe973329097ccc618b681c7c6e059b0a4bc4db0032d282e4e181f18b659f68c5b17c23c0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b2435d7a3ab468fc33970264424b92ab |
| SHA1 | cd48c08aa31ae033e1ed796770296caa664f29c1 |
| SHA256 | d390ce7bfe6923bb7a45110c217ddffd4b8bd09606e72a1d6ed672d95c0cfa20 |
| SHA512 | 5d90246fe4ca8d1fccd072a6a35e7dec288e9a8e71adac9e6f25f38aa360041fe0237e1572a82d0c6fd6924aeb38d5e88d372faf41f0d0b3420653792a0b973b |
C:\Users\Admin\AppData\Local\Temp\C851.exe
| MD5 | ae508ddc1d7aa4458eee2e5d0589d309 |
| SHA1 | 40d76a78c2233779b2ae684c3d514ad01a3f6243 |
| SHA256 | 5bd900c94124ecfacb040aa8a991715591808e22e71ff15b11935b02db6e4b9d |
| SHA512 | 36510d03a35975e612944c859fda03a4f10d6dd1292d654dacb7a0d3e1ad5e86407e9339aea03d855c666d21a0f67035323ecdda6aeaffce5d7d81c52fee1d56 |
C:\Users\Admin\AppData\Local\Temp\C851.exe
| MD5 | c4cd2dabf6fe55752749ff664f9f9820 |
| SHA1 | b999a991aa6013a1cfe8d0bf5ee3e7ccd79012c9 |
| SHA256 | ecf58130e5f5905c6ab24345d42aa8ebf185bc45452fe9c93941d774d1d56c2e |
| SHA512 | a2b64bbf37b291dbe3937100d228851024b44a953e91de6fedf1636dcaba7b4c02bcbd33fa21f0ce9fbdfde75a14893501ba583b0ddca0dce6968e67af5b6936 |
memory/2812-365-0x0000000003700000-0x0000000003AF8000-memory.dmp
memory/2284-366-0x0000000000400000-0x0000000000649000-memory.dmp
memory/2812-367-0x0000000003700000-0x0000000003AF8000-memory.dmp
memory/2812-368-0x0000000003B00000-0x00000000043EB000-memory.dmp
memory/2812-369-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C851.exe
| MD5 | e2809f14a2f6abe51e7c3a9358b45320 |
| SHA1 | 6c5e3bd8c078a1dc6cc36e8357ecd61ecb1ed879 |
| SHA256 | 2496048773f210ec237d6559b673c29375537de6b1c7afc04157f4521b9945ae |
| SHA512 | f5fbefba490e94d8bf3276a6fa964fd368a30c43fa9751c39d4ed14caa74eed17181c90f841442e3ec9800a36a80475557276cf20ae34a1b9f5e0d9e5614d9a9 |
C:\Users\Admin\AppData\Local\Temp\C851.exe
| MD5 | 3ab209ecb992b40aed1e8302dccc40e3 |
| SHA1 | 68fe47da7d354cda05d4c013211a85a585501e11 |
| SHA256 | dccd5f02946183688b6e2158588eb3854b56cc5b60fc03af8eadb66e005d36b9 |
| SHA512 | 1bee2fbd894ce760cd86a9c27c1ff035c84e9196ca417521b902688b86ae1b796738a0184183ab7b9f7f74189ca380f19965d1b9fa6fd153f4a6c19d1f5d230c |
memory/1088-372-0x0000000003870000-0x0000000003C68000-memory.dmp
memory/2812-373-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/1088-374-0x0000000003870000-0x0000000003C68000-memory.dmp
memory/1088-375-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DE51.exe
| MD5 | 41078ddcc4883c53b851fb092bcb79e1 |
| SHA1 | 6370138391cc217a6b735ca2c1025d0382841a8e |
| SHA256 | 3d43f5bf00ff3e51dc4ccbc86bf0536859ea6db02b08097d6fe243405cb8d87a |
| SHA512 | a5e9c66a734896ff3a08b2b791fe4463dff945a244a486fb0db67f899f283bde0fc5682dc324b0065e7679781bf7c09b45f9cac332d5b5356c2834535f84dce3 |
\Users\Admin\AppData\Local\Temp\DE51.exe
| MD5 | c617562971e5552332875f43dae92533 |
| SHA1 | 92d2950d251b21da4b5a857b16f062f77179d296 |
| SHA256 | 132f86e54a7ed28ca3d12789924a03770382eabc5f2ddbf8a72349b4b7e2453f |
| SHA512 | 0325463290224213cce0fd1b8488df105b3846a0ca177e9a3a809c9c2d10f200ecee93e1c2662cf532388f705808ea93ed76df98a82cbb31936801b5654b6208 |
memory/1568-381-0x000000013FDD0000-0x0000000140A32000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | e06990f0d06b7d15911516f269e3a6ba |
| SHA1 | ad6a54f561cf5bd104102d633563099583b85955 |
| SHA256 | 8064f14de52225193e4beeb67bba22f365326f8e75c821418652f03c9485036a |
| SHA512 | 43b2cb09e0760dd3012738828607ca0a817cb3b5f88be68ed57d8e4c58cbfd15a393cc6686297591efc8305b6e480360017dfc2b540db81c0f3328900cdd1b58 |
memory/1624-390-0x0000000003880000-0x0000000003C78000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 0bccade864c0d26ce69bb20b4078cc7e |
| SHA1 | 07100885604cfae2503a7bbf45d1c1b9cefdc793 |
| SHA256 | c33f6fada92bd7d7987696dfbe0967a2d6d290bbb8ea39eea385f3b8b93dd0eb |
| SHA512 | 4802d4cdf9f7bb2c77b1ff87e393886583b45b96c5783faa438a7fbd599df5076101c992c81823cfdd678458714a62daaa5df7a3b0d4d11235d85f2fdc13c7ea |
\Windows\rss\csrss.exe
| MD5 | 9f34c2e370064241cedad4c516d45abb |
| SHA1 | e46153375c4f9d022835808bc22a9830d3c49a40 |
| SHA256 | 5c6e0a903792ccd74f468357295e4ba7e523c1ff4b4ea425b84681cc725ad805 |
| SHA512 | 23cee66a628ee3ea2262aaae1f9486d002e04ccdc21311fd5543441a0ee62c9a5bf2a67a6e45434509b2c29ce902a88b2805297a15a3a9af16aee69cfec288cf |
memory/1624-392-0x0000000003880000-0x0000000003C78000-memory.dmp
memory/1088-391-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/1624-393-0x0000000003C80000-0x000000000456B000-memory.dmp
memory/2544-394-0x0000000000ED0000-0x000000000177F000-memory.dmp
memory/1624-395-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | b6189d36e70cbe35c31ed3868422625e |
| SHA1 | 6e3df2a994e44b3ab10f7a100d087a386517775e |
| SHA256 | 21e27a779afc78bf8dfa75b34a112b062bd522e29eba8ce5c3e43648c0ead0d8 |
| SHA512 | ce1e5d1a5909425695bedbe9597246782f469ec69d9b07c4a8459668e2471060f1859ebe1e8e86faef497e53325c4017188b963cfb35336c1dc908bebd096e7a |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 75cf9f6562ff34c3f0d52def91ea9749 |
| SHA1 | b07a693940408a71d9c958abe95b7146885788d7 |
| SHA256 | 25c73a2f36e8c76791011ad0793d78b55abe7c4559139c5d05185ff864bcc89b |
| SHA512 | b6848bc9263515b56e9c614fec192c22c13ab4dd92ca10c7de0bf41fd712c4068b19cda514bf27448c0ad3a24912d4ee74584a041c3a017fce1f4dcbfb9a8fc1 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | be81c865af1555afb8eebadc41ddd23d |
| SHA1 | 1b7c70c5993c853abd63ef0979c43d29e5af85b4 |
| SHA256 | 57a3a50b9879911442aa8288969013c4c4e58819ed6755144a3d184c3a0e5326 |
| SHA512 | f535655ad385bd8510a74ccffefde9686c1c3e62f5b09c6a6f1ff31fa62efd2bc01f7e05b440f4cf3ce9a67ef1cb1d9c0bf7f37cc9636dc0bd5720462e149b02 |
memory/2068-410-0x00000000005D0000-0x0000000000BB8000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | da4d522afbbd4bfd319233177d1d29a5 |
| SHA1 | 0763dafe8fc71605e47b2362d0ae9894c52918d0 |
| SHA256 | 50d491bb9335a9aca1ecff83423dd210555e63972e373dd7e55d372aaa20fcd1 |
| SHA512 | 3bdc8435f2f72c77000dce9fa753faad8f32fe2549c2b678b8d4b6126a6c7cc8a39161f987cfad83fd75b4a7d8b586382839b7021d3041e0743cedbd2da087ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ce8858719d79eed3452092ee81b11f57 |
| SHA1 | b39a7a679383ddfd742df2be9aaa8f266b996e89 |
| SHA256 | 2cdacbb582edb4e554d8a087946a7899b9b6d894249dee8cb93090a1637f5c20 |
| SHA512 | ceb3100ccdd39e90ac90c9d316b90a37ff10551f18ad67f3e311c820272c496cf371c1c2e760d7ece3c6ba28abbf9929a733dfba87de6c9918cc0db8d48db26e |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 0a6178814666c904769cb0f68e458af3 |
| SHA1 | e5382d19a1d27d64368cbf2225c8acf665cc7dd5 |
| SHA256 | 49e6370aa9cbf74ced549635578146197d2ac789094cc4d8eeb75c8ad027e850 |
| SHA512 | ca382921c45af4624adbc3f0e738899118e924afb4451a925aa17eaa5c6d374eae28ae9a72fadd39f1593cc39422885f855b3f04bdbbb5a4f9f9571ca72f83c0 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | c11e6f45c4ace36caad7e0fc37c29adc |
| SHA1 | 54f7e63f9f431653169c8737877a49dc3525802e |
| SHA256 | 037ba343cc3876e31e33834401d28c10f3ab0ef11d6157e0d965bca8f0b237fd |
| SHA512 | 33d71133bb7414f163cef6314d34f96735bb8ce41a31af98dc6eafbe398020fa669a82cda8a507c88505a8eddc6bbba2886940edaf67ca4d03fb5a5c2b70fe7a |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | e421a139e44cfa762f19f169856dce92 |
| SHA1 | a4c28ed01efd28b55d5ae4df38b9ee372c58a4d9 |
| SHA256 | eb9366f7df2c1b52e18bc26c62b858ce23f72fe6a1eb16e81bc7a950d0ca9d59 |
| SHA512 | c89746ab379e39d55b81cf6bb40be24198f55831549e4920fd965a5be1bc576c5a45feb6204226295dd31158997b6bc1e460fa1fb53ee8bbca26808164261518 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | fa5fe67bbf51720a1810a8c78ba98767 |
| SHA1 | 8caee866641a5f1f44e488929f3baa14baaf0816 |
| SHA256 | 515d636ba9a21819b512ca3ed1767fda2334b5cd7c854cc1a55f712104d32113 |
| SHA512 | 72880a5da5c838b0e26242dd8d12ea4dde40e551982223e598d655210f277996668f8e8259c9f18ea304007a0545ed2764582dc7c999e6fb1868fc56c0605f36 |
memory/2068-442-0x00000000007A0000-0x0000000000D88000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b11d6fd7ea686d12419300f2087b125e |
| SHA1 | d51f803ad9e34ddc59250ee1a383547207454c15 |
| SHA256 | 352b00f64ca7be1f4ae360b0e4555456c56c4bedea7c3f06f8a7435887dd4c7a |
| SHA512 | 528ce67df59c97c799a707e1e133d7ddee13ecb88424127b37f35e06bde6c1ed543776f4439860d2233107ac84b24705997fbe0c3916fc2871bbcf400fc010d7 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\EDE2.exe
| MD5 | 00e3f4882f137105fd422a68c1abedd2 |
| SHA1 | e95713020236e6dc1efedea5deff6680190572b5 |
| SHA256 | f54394470bb9a9688de3aacd78430ad27e63803d1968d0c6e65fb0a6ebe94620 |
| SHA512 | d37b053a536fbbe581611e71b9c2a2f6a345fd8ca308a360d4573f4a9d1500b614a02923cd3d1194305b430f790c4e644b16f2d415192b58ccd48fbaa0b7207f |
C:\Users\Admin\AppData\Local\Temp\EDE2.exe
| MD5 | 36903ff1f3ff595fa0f07a184f2b5c62 |
| SHA1 | 231f4500ee88f271024365da8d6f2e01f179968f |
| SHA256 | 9a5f9fa96d69e821725c4696328b745791448c4c81e69a93ff5085ab174a29d1 |
| SHA512 | 1607eecbaf48c0a5bb6c13210ca757857664f98dc18f8e78d66d49390ccaf86af9c31d6159d2bb8dfcce50f36b234c70f3accbf77682206c23e2bde1a71f0458 |
memory/2684-506-0x0000000000F80000-0x000000000152A000-memory.dmp
memory/2684-507-0x0000000072B30000-0x000000007321E000-memory.dmp
memory/2684-508-0x0000000005000000-0x0000000005040000-memory.dmp
memory/2760-528-0x0000000000890000-0x0000000000990000-memory.dmp
memory/1624-531-0x0000000003880000-0x0000000003C78000-memory.dmp
memory/1624-532-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/2068-537-0x00000000005D0000-0x0000000000BB8000-memory.dmp
memory/2684-540-0x0000000072B30000-0x000000007321E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2F75.exe
| MD5 | f9f0fd78f541e1427a1c531becb20aff |
| SHA1 | 5c881f95a2902af550ef160a0a1d8f52ca51f802 |
| SHA256 | d94196430230b97ab47ec68df839598c21a9996fe45580a95712be8d561ccaf2 |
| SHA512 | 6d39115a303fc9c69a2ba18d69438f346e7c4e546a43c41f7c3910f4e7ef13ee4f898826ed250aec77af2b70dc5a10eb81494efdcf33009c23e2829f05e30318 |
C:\Users\Admin\AppData\Local\Temp\2F75.exe
| MD5 | 1ac1efba731f3020e96754f2472ec55c |
| SHA1 | 43dc7ed8b3f4521b118f3deae27a249ce2fe582e |
| SHA256 | 2040989b03a916d23217ede49ec52652294eef5000140e4f9819ba164af6de8f |
| SHA512 | 3e9ebcf535bf9eaf92ce03605269e90a8c2a9c00b80c65681f7f5ab25d0abfac7deedd12043f2ab93bd289dc8244463997f7670ed2be69028d24287cd0e2abeb |
memory/1560-547-0x0000000001280000-0x00000000018D2000-memory.dmp
memory/2684-550-0x0000000005000000-0x0000000005040000-memory.dmp
memory/1560-549-0x0000000005050000-0x0000000005090000-memory.dmp
memory/1560-548-0x0000000072B30000-0x000000007321E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\34C3.exe
| MD5 | f987e9af00984e438d535ffbcee2c6ed |
| SHA1 | c11fed0146bb3927544fa4616caa2aaf38273253 |
| SHA256 | 336f07ff04674d30e651ea22fa3de86f0ca7f9588ffb73d2f7623f6016efd5db |
| SHA512 | d5f42a51caff69825485cee2c23fb09a456afadc505aeea8bdbef1186243f085dc3583792ed5995520b8d0710aaf417e58f7e20278266c138de2e4c849686b1d |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | e7db04d67a840dc680bcd3cb6f71ce1a |
| SHA1 | bb2c457d1b56eeedd242346baf85487b21f76ebc |
| SHA256 | 3c506e4cd2fb70ab2501011287489a936a950d89f6cefb9845f6310bcbde05b6 |
| SHA512 | a89e3afe09e27b124693e8c24cca1d6e13c664981a1ac0c5194a770d8480373db7d99f3a4514d1805a30a281559a017051de05e691784903df287242eca24c2f |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | b9f99ea071fccbb26ff2c02a6d20dd4a |
| SHA1 | 73468c2f9c19c09bcbedf7ae97e7665c623428e3 |
| SHA256 | c6aea7891b35e84fbaaf0c023da4c69fc5d37890a3333bff07992fffc38416d4 |
| SHA512 | d9a31c672e510f2367d0e8d8892de504cf18879f58effd2176876e5e9f953158cb8ee149865d50bf4d5df9e11b10069bf0787bc76b23dcd544625e83e34430fe |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
memory/1268-593-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2300-594-0x00000000002E0000-0x0000000000642000-memory.dmp
memory/2300-596-0x0000000000AB0000-0x0000000000AD6000-memory.dmp
memory/2300-598-0x0000000000A80000-0x0000000000A8E000-memory.dmp
memory/2300-600-0x0000000000A90000-0x0000000000AA0000-memory.dmp
memory/2300-602-0x0000000000AA0000-0x0000000000AB0000-memory.dmp
memory/2300-604-0x0000000000AE0000-0x0000000000AF0000-memory.dmp
memory/2300-606-0x0000000000AF0000-0x0000000000AFE000-memory.dmp
memory/2300-608-0x0000000002340000-0x000000000234E000-memory.dmp
memory/2300-610-0x00000000023F0000-0x0000000002402000-memory.dmp
memory/2300-612-0x00000000023D0000-0x00000000023E0000-memory.dmp
memory/2300-614-0x0000000002430000-0x0000000002446000-memory.dmp
memory/2300-616-0x0000000002550000-0x0000000002562000-memory.dmp
memory/2300-618-0x00000000023E0000-0x00000000023EE000-memory.dmp
memory/2300-620-0x0000000002410000-0x0000000002420000-memory.dmp
memory/2300-622-0x0000000002420000-0x0000000002430000-memory.dmp
memory/2300-624-0x000000001AE30000-0x000000001AE8A000-memory.dmp
memory/2300-626-0x0000000002570000-0x000000000257E000-memory.dmp
memory/2300-628-0x000000001AA00000-0x000000001AA10000-memory.dmp
memory/2300-630-0x000000001AA10000-0x000000001AA1E000-memory.dmp
memory/2300-632-0x000000001AA40000-0x000000001AA58000-memory.dmp
memory/2300-634-0x000000001B300000-0x000000001B34E000-memory.dmp
C:\containerProviderhost\sppsvc.exe
| MD5 | 92bf2463d72a410bf291db2bbb0176f5 |
| SHA1 | bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f |
| SHA256 | 92883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808 |
| SHA512 | c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300 |
memory/2300-649-0x000007FEF4A90000-0x000007FEF547C000-memory.dmp
memory/2300-650-0x000000001B426000-0x000000001B48D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-25 22:45
Reported
2024-02-25 22:48
Platform
win10v2004-20240221-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f12340f9-b0e6-42e3-a341-afc21e6d6dfd\\9B28.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\9B28.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3352 created 2572 | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | C:\Windows\system32\sihost.exe |
Vidar
ZGRat
Disables Task Manager via registry modification
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9B28.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9B28.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\611E.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\Control Panel\International\Geo\Nation | C:\containerProviderhost\runtimenetSvc.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5343.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f12340f9-b0e6-42e3-a341-afc21e6d6dfd\\9B28.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\9B28.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4760 set thread context of 1364 | N/A | C:\Users\Admin\AppData\Local\Temp\9B28.exe | C:\Users\Admin\AppData\Local\Temp\9B28.exe |
| PID 5952 set thread context of 4116 | N/A | C:\Users\Admin\AppData\Local\Temp\9B28.exe | C:\Users\Admin\AppData\Local\Temp\9B28.exe |
| PID 388 set thread context of 3500 | N/A | C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe | C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe |
| PID 2372 set thread context of 4760 | N/A | C:\Users\Admin\AppData\Local\Temp\DBD.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| PID 3208 set thread context of 3352 | N/A | C:\Users\Admin\AppData\Local\Temp\5343.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| PID 1936 set thread context of 3852 | N/A | C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe | C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Windows Media Player\Media Renderer\886983d96e3d3e | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\fontdrvhost.exe | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| File created | C:\Program Files\Windows Mail\5b884080fd4f94 | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\886983d96e3d3e | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| File created | C:\Program Files\Windows Media Player\Media Renderer\csrss.exe | C:\containerProviderhost\runtimenetSvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-572 = "China Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-542 = "Myanmar Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\611E.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2132103209-3755304320-2959162027-1000_Classes\Local Settings | C:\containerProviderhost\runtimenetSvc.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EB1F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\containerProviderhost\runtimenetSvc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe
"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8491.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\9B28.exe
C:\Users\Admin\AppData\Local\Temp\9B28.exe
C:\Users\Admin\AppData\Local\Temp\9B28.exe
C:\Users\Admin\AppData\Local\Temp\9B28.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f12340f9-b0e6-42e3-a341-afc21e6d6dfd" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\9B28.exe
"C:\Users\Admin\AppData\Local\Temp\9B28.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\9B28.exe
"C:\Users\Admin\AppData\Local\Temp\9B28.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe"
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe
"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3500 -ip 3500
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 2220
C:\Users\Admin\AppData\Local\Temp\DEC9.exe
C:\Users\Admin\AppData\Local\Temp\DEC9.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E33F.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\EB1F.exe
C:\Users\Admin\AppData\Local\Temp\EB1F.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\F88E.exe
C:\Users\Admin\AppData\Local\Temp\F88E.exe
C:\Users\Admin\AppData\Local\Temp\EB1F.exe
"C:\Users\Admin\AppData\Local\Temp\EB1F.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Users\Admin\AppData\Local\Temp\DBD.exe
C:\Users\Admin\AppData\Local\Temp\DBD.exe
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\5343.exe
C:\Users\Admin\AppData\Local\Temp\5343.exe
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\611E.exe
C:\Users\Admin\AppData\Local\Temp\611E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\containerProviderhost\SSJnjC24t.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\containerProviderhost\runtimenetSvc.exe
"C:\containerProviderhost/runtimenetSvc.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FSRA6W5YHr.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe
"C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\csrss.exe"
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3352 -ip 3352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3352 -ip 3352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 428
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe
"C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 70.174.106.193.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 112.84.119.211.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| KR | 211.119.84.112:80 | brusuax.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| AR | 190.224.203.37:80 | habrafa.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 37.203.224.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| AR | 190.224.203.37:80 | habrafa.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 142.132.224.223:9001 | tcp | |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| DE | 142.132.224.223:9001 | 142.132.224.223 | tcp |
| DE | 142.132.224.223:9001 | 142.132.224.223 | tcp |
| US | 8.8.8.8:53 | 223.224.132.142.in-addr.arpa | udp |
| DE | 142.132.224.223:9001 | 142.132.224.223 | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 104.21.11.77:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | udp | |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | lucasowen.com.tr | udp |
| TR | 185.50.70.125:443 | lucasowen.com.tr | tcp |
| US | 8.8.8.8:53 | 125.70.50.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19ba1a44-f02e-4187-a0bc-55313d2895e2.uuid.createupdate.org | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server15.createupdate.org | udp |
| US | 15.197.250.192:3478 | stun.sipgate.net | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server15.createupdate.org | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 192.250.197.15.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.246.85.80.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | tcp | |
| US | 8.8.8.8:53 | scandalbasketballoe.shop | udp |
| US | 172.67.198.240:443 | scandalbasketballoe.shop | tcp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 240.198.67.172.in-addr.arpa | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
Files
memory/4272-1-0x0000000002E50000-0x0000000002F50000-memory.dmp
memory/4272-2-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/4272-3-0x0000000002D70000-0x0000000002D7B000-memory.dmp
memory/3444-4-0x00000000022D0000-0x00000000022E6000-memory.dmp
memory/4272-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8491.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\9B28.exe
| MD5 | 3d196de47911047d26c003e31a878038 |
| SHA1 | c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9 |
| SHA256 | 19b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a |
| SHA512 | 30871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b |
memory/4760-20-0x0000000003740000-0x00000000037DA000-memory.dmp
memory/4760-21-0x0000000003900000-0x0000000003A1B000-memory.dmp
memory/1364-22-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1364-24-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1364-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1364-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1364-38-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5952-41-0x0000000001BC0000-0x0000000001C5E000-memory.dmp
memory/4116-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-46-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 61069f3e5ec893a06611f1e74f5193f9 |
| SHA1 | c7d77c232343d594a9b55274ee482edb9d879971 |
| SHA256 | 63f54ad995160d65ece7dc146e050409d6f72bfceaaf28e4d7333fe2e619cec8 |
| SHA512 | 5c972dc939629e86e564e692091935d1b2af8e80f8f9872c7edba8ac5272a845691c7a9cd6440b3fb7822fb864f05adcb706879c9c1d0f2f5a55222fb4b376c3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 1614610ded3e92091cb4a735cbd2b486 |
| SHA1 | a45cdac15521127de130232ee79a7e766576a4e3 |
| SHA256 | f069678a6146a5412e1d4ae7a11dc6a1cd1f63830790872e202d7aab14bd4303 |
| SHA512 | 4a291fa54485381497065e10b2adc718420697ec243f8afda8fe44c354ab3bcbb81bc05eac5e4c36275d80861f0d39a7b0efe08c580d1995bb5ffed6ac28b04f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 610f387cecd6b98e4abcb72626ee7d13 |
| SHA1 | 791f01f69d1e025c15660cc87c6a2d332c16d1c7 |
| SHA256 | dd9c87c9d210b8dcb6f9d2b897c11b0a480b955a0aeaf4bb9b661f1bdc0604d1 |
| SHA512 | 97d58a6504e70c4ceb4f255c6327d076b8ffc017945a9a8474f1ece483a5326d572ef13d6e4e5ba6bc2dba4b9575f99085ca2af2dbabc375f6bf0e8bef554858 |
memory/4116-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-54-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-58-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-60-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4116-61-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build2.exe
| MD5 | c6d3d647baad8a5b93b81d2487f4f072 |
| SHA1 | e9c1105dc41f85d4f7e94d4e004f8427787c8802 |
| SHA256 | 7754125653413cfca3bde887fb2a22f0cd5144ec447bb274c69b005861b70a0a |
| SHA512 | 55425dc95161e627e19e17f1bb910f958dade0c2b12da5eaad31159f0e2dc5217ff293c52f39d860d399807d5b4a814f1bb24376c58b40cc171d298282052049 |
memory/388-74-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/3500-73-0x0000000000400000-0x0000000000649000-memory.dmp
memory/388-76-0x00000000005E0000-0x0000000000616000-memory.dmp
memory/3500-78-0x0000000000400000-0x0000000000649000-memory.dmp
memory/3500-79-0x0000000000400000-0x0000000000649000-memory.dmp
C:\Users\Admin\AppData\Local\a0467e72-fa4e-4f69-8f9a-675cae98fa75\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/4116-100-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3500-103-0x0000000000400000-0x0000000000649000-memory.dmp
memory/4116-106-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DEC9.exe
| MD5 | 3882d53bb4fa9b34225dcd65476dbfea |
| SHA1 | 749ec3be884d1026e55576ff382e5f8bb5a71cb8 |
| SHA256 | bb9806e7e371d593ebff525132d9e16107adaa58cd04b1b0fb37230366b64e98 |
| SHA512 | 25927023a8c74ec7a22f2d8e0406400a92af2e951169621ca3af7191cc8250e02ef443b968a994210615df0907c82e5091be480305d8c5ea796a871912d5f922 |
C:\Users\Admin\AppData\Local\Temp\DEC9.exe
| MD5 | e7323dbd6ea98dfdaeb364570ac5f374 |
| SHA1 | 7c9a750c958aa9ee8554a1bbd3e5d9c2ccd9ebab |
| SHA256 | 04513f58c810278c4fcb89a532fb8b3460cb010979257d30d6ceb5f4df06bab8 |
| SHA512 | 183d7f064c6892f303753b92cec34822c50cbeec6171a54e937b07c5c08b3fe1a2920cebf782cbd7272d63ec52bd91a6363a68fc782b4417fcbd7e25257eeda9 |
memory/5420-111-0x0000000000C20000-0x0000000000C21000-memory.dmp
memory/5420-113-0x0000000000C50000-0x00000000014FF000-memory.dmp
memory/5420-115-0x0000000000C30000-0x0000000000C31000-memory.dmp
memory/5420-117-0x0000000000C30000-0x0000000000C31000-memory.dmp
memory/5420-116-0x0000000000C30000-0x0000000000C31000-memory.dmp
memory/5420-118-0x0000000000C30000-0x0000000000C31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB1F.exe
| MD5 | b7865292d9c37de3f9306365814344cc |
| SHA1 | b5f59e17c84a7ba0b2f60cd7da78e9d8e36c758e |
| SHA256 | f9e8294aea84cf597ddbadd29e63a3f470e1a98da704a755d6cd3b936f0f726b |
| SHA512 | f4dd38f1c0e718ea23e28bd8d6d4b97a70582518b669e143f9708fff33a6afdbc45d75841be7bca9bcc53f1e2b4502e3bba4420338963dee7642bf0e0a5ec1bd |
memory/5420-128-0x0000000000C50000-0x00000000014FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB1F.exe
| MD5 | 466ecbc5ca2ad88dc3b4266a305c46a0 |
| SHA1 | b4bb744f6d7d1b40108e9b49b779fe5408dcf2e8 |
| SHA256 | ba43638566c64d2a62e3affda029e768ce1acdbf11dbe8951fde17f07281566c |
| SHA512 | 374da55d1efd703225618cc58c4a33191d8477d04dbea607fccb299115f6343b6450f3430e5484a6b527ab77cc342aab0d397ee87151d752d3e24734bff52a28 |
memory/528-129-0x0000000003A10000-0x0000000003E0B000-memory.dmp
memory/528-130-0x0000000003F10000-0x00000000047FB000-memory.dmp
memory/528-131-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/5644-132-0x0000000003110000-0x0000000003146000-memory.dmp
memory/5644-134-0x0000000005890000-0x0000000005EB8000-memory.dmp
memory/5644-133-0x0000000073130000-0x00000000738E0000-memory.dmp
memory/5644-136-0x00000000030C0000-0x00000000030D0000-memory.dmp
memory/5644-137-0x00000000030C0000-0x00000000030D0000-memory.dmp
memory/5644-138-0x0000000005820000-0x0000000005842000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rxjarbex.uw3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5644-149-0x00000000061E0000-0x0000000006246000-memory.dmp
memory/5644-144-0x0000000006000000-0x0000000006066000-memory.dmp
memory/5644-150-0x00000000063A0000-0x00000000066F4000-memory.dmp
memory/5644-152-0x0000000006710000-0x000000000675C000-memory.dmp
memory/5644-151-0x0000000006370000-0x000000000638E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F88E.exe
| MD5 | f00fc30d862188dde528abbc6b596b1a |
| SHA1 | 64d0811a72ce0ed361a3420cd53e272ca76a7519 |
| SHA256 | 6841a8d26ef03994c271eabe988a6d548345352fc7e944c07556c649439cb592 |
| SHA512 | ff8e37e9bb113eba4d8a27cb70a901606cdb079902addb8e395d4a8f9e4e7a56f43cd13a9d353b1758672c56cffd8aaa1d0d8560b666f7f1fc334964101cdcca |
C:\Users\Admin\AppData\Local\Temp\F88E.exe
| MD5 | 9dae0e68915238849a0fa9df128f3ab4 |
| SHA1 | a1d1654fdb9d045d91c9399af62a0c7609f0e2fb |
| SHA256 | c0c87892ac16ddc0d66cceffe4cf574aa9d07516fb7e07bc32f4b80d542ee03b |
| SHA512 | 8b9330bbde4a9327b96b6fa1cfcab7f4b040b706ad75f99c4a248cc015dee1cffdb708d095f6eb94e2b13ea34fd58c4de7f47b35780abc201cd334ddd4c089d9 |
memory/5644-153-0x0000000006C30000-0x0000000006C74000-memory.dmp
memory/5644-158-0x0000000007800000-0x0000000007876000-memory.dmp
memory/5644-160-0x00000000078A0000-0x00000000078BA000-memory.dmp
memory/5644-159-0x0000000007F00000-0x000000000857A000-memory.dmp
memory/5644-162-0x0000000007C50000-0x0000000007C82000-memory.dmp
memory/5644-164-0x000000006FC30000-0x000000006FF84000-memory.dmp
memory/5644-176-0x0000000007CB0000-0x0000000007D53000-memory.dmp
memory/5644-177-0x0000000007DA0000-0x0000000007DAA000-memory.dmp
memory/5644-175-0x00000000030C0000-0x00000000030D0000-memory.dmp
memory/5644-174-0x0000000007C90000-0x0000000007CAE000-memory.dmp
memory/5644-163-0x000000006FAD0000-0x000000006FB1C000-memory.dmp
memory/5644-161-0x000000007F6D0000-0x000000007F6E0000-memory.dmp
memory/5644-178-0x0000000008580000-0x0000000008616000-memory.dmp
memory/5644-179-0x0000000007DB0000-0x0000000007DC1000-memory.dmp
memory/5644-180-0x0000000007DF0000-0x0000000007DFE000-memory.dmp
memory/5644-181-0x0000000007E10000-0x0000000007E24000-memory.dmp
memory/5644-182-0x0000000007E50000-0x0000000007E6A000-memory.dmp
memory/5644-183-0x0000000007E40000-0x0000000007E48000-memory.dmp
memory/5644-186-0x0000000073130000-0x00000000738E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB1F.exe
| MD5 | 56dac0c9a7abb2e3ff23131d40981cea |
| SHA1 | cf8ef3fd440de49cd411569b3647e1b679d6daec |
| SHA256 | fc869d43604b2a00ba8b7f372d9d7261bb6e6e72b4ad1f729f1cbcfd34d2b3df |
| SHA512 | 1202e19b14f519262680342a4acc15e1124370d9bf5b8d8d8024c195d323a6bcd580712143cdebbdf4a7a6e5ee3684796896a7845b711a9a3ee225147fc05b5e |
memory/4696-189-0x0000000003B30000-0x0000000003F37000-memory.dmp
memory/528-190-0x0000000003A10000-0x0000000003E0B000-memory.dmp
memory/4696-191-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/2632-192-0x0000000073130000-0x00000000738E0000-memory.dmp
memory/528-193-0x0000000003F10000-0x00000000047FB000-memory.dmp
memory/2632-195-0x0000000005C20000-0x0000000005F74000-memory.dmp
memory/2632-194-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/2632-196-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/528-206-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/2632-207-0x000000007F6E0000-0x000000007F6F0000-memory.dmp
memory/2632-208-0x000000006FAD0000-0x000000006FB1C000-memory.dmp
memory/2632-209-0x000000006FE00000-0x0000000070154000-memory.dmp
memory/2632-220-0x0000000004D40000-0x0000000004D50000-memory.dmp
memory/2632-219-0x0000000007410000-0x00000000074B3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DBD.exe
| MD5 | a5aa54a5dc4ff7156be31f9d45974b72 |
| SHA1 | c832ab6f3cf67feede0736a0151c46a96146511b |
| SHA256 | 972a6f8ef6ae10efa416e366916df1502188c48c66cd72e6135965d94349d78f |
| SHA512 | 03010898fd05b97677e5c01cbaf0e74c5931f47672376e3075a0d47926bca1acd0011b4a8178344d4970a322548a4bb5c6a2fd9781209253af61c9f426efa3c6 |
C:\Users\Admin\AppData\Local\Temp\DBD.exe
| MD5 | 30c8e825e7a455fa783bb3406d35ac43 |
| SHA1 | adc8ac816c6d79fc1d6362717a410364b0e94376 |
| SHA256 | 4d9c4fe34f11890db331ecdd6cb2b4eef95eb63ef6734004c2ace6ba2706c040 |
| SHA512 | d4b9c459ceac01779387a6c00d1ac5edf0ca96955e56ef149a0933c624fa8db4e4f9bd2fcd2d72567eb9dd712fa8581900eab4ef7b57b1ea21b3a0c7cfd54cdd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d2d0070d6238f7bdd91b8d0b26e9b1a8 |
| SHA1 | b2a8934734dcbd5617407914dde85d016d5745d0 |
| SHA256 | e5757dbd9cf7c4d41fbd87d9a9b708d352109bb7d18645d09f24f71eef31d958 |
| SHA512 | 5652b890033a85f9abc202d99b87fce115147c36e9ede148d1522231b72fd6d1405d5f6245088982c63d5e6b8d71f1115157438d8e54049c8df7c85d0570fa49 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a22e9f55c7fad9fe3a587b8362ef4f27 |
| SHA1 | b5ff7c697a38969e115928302f64da8f412b7912 |
| SHA256 | 52edbfd5f8e6bc0653bced5ae77af65b15459b8cb2f88cade21f6a7afe37d12c |
| SHA512 | 81c32ec149fa5b9c83ee57597ec1c9d24ca0b5a5b839b6cdf099b70dbbbe544a30ab9d320949506ee128d741909ab26a981bbba74bf8b637ae34a1a65b9a8f6d |
C:\Windows\rss\csrss.exe
| MD5 | 4e1f7c6af1652e7bc059064547f141bc |
| SHA1 | 94a97f8e05c08236da2b769d54bf33280178d3ed |
| SHA256 | 36fc1e92f1f3af429651720b8e7ea5eb1ca2e83c5c74e233543275c09b57eb20 |
| SHA512 | f30069ed3c482cc15d5f5be84ab2b1fda85e151c2312b90b6e9019dcd24e2930ca1a09b1a4ba2a2f910e0fad8cf2a7dfe3bf4f42a8d247609bae540bb233c652 |
C:\Windows\rss\csrss.exe
| MD5 | e0e7ec5e6d3d82af46d75eefabd40073 |
| SHA1 | 8919251b8a6e42b886a4e87bb7c7e8bb6d2534e9 |
| SHA256 | ae361995ab8d3160af4dcbdc9f0733bbcab6685edf3948f10ec514f8d8844438 |
| SHA512 | 19d3f33f7431830a2e11f861a8aa7645e25ffa15a8956d9dcbd81fe269ec55fe9f335a1636f5f70f259bc9b746e87536e2b1369b32baa3df76ab2957e4d08276 |
memory/5700-303-0x00007FF795150000-0x00007FF795DB2000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6d0a02f17cf7de01d2c9a515cf9aadc7 |
| SHA1 | 6315fed881ababf93995293d12c6af01898fdcb5 |
| SHA256 | ddbd55f95723a7fcc0b21024c075058d264c2f9e1aaa74e5b3a5838a212c4eb8 |
| SHA512 | 651cb1afb3feaf862ac64690ca0bb408c5715cb21304ad77de5b61e9ea4d4e4a4b702b8317e3a0f72563a6c232c8bf519b12bfba3a32ae4a3869b5351fdf8632 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6f3dccff57bc5aff185aca77e00ff5fb |
| SHA1 | 1ec7526e90893871da011486ab2528dc8b8f8fb0 |
| SHA256 | 964c27c8bc8178dffba23c2ef4b46adf7d33f896948e28f2e5a8e4ff803ee44c |
| SHA512 | 18ea93f158eb1dcc9004d8e937febac614c7f9698f6f28b7e1dbdcce26f7100e7167a71a4f4692ce9409926c496297907186797a2dc938aebfa79fdfa6424231 |
memory/4696-344-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d800345005c3b4d0da179a1254e0673e |
| SHA1 | 7e9d19b17b69d2a1c71b602cfaa5224fbac7cfa9 |
| SHA256 | 914ee6fd2ddafbefe9f02baba2569d4f47cb0cc6498ef56ff350729fccc30ab3 |
| SHA512 | 8b4fa1a5de3458fc6a09461cdbbba2898c56947d06841e04acf051c29d7bb73e5376bd9f4fab9aa2561975bd180bae607597f09792e4e9600e735bc54fb85da5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/5700-395-0x00007FF795150000-0x00007FF795DB2000-memory.dmp
memory/4528-396-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5343.exe
| MD5 | f01f17070d6c361d7cf2fccacba7a82c |
| SHA1 | a0b5ba4309eeb8039bb7ad8b4292118ff66c01dc |
| SHA256 | 21a1d9069914a274913301f71f4ddb4b991a16e13f99bbabeb6dc71c7ff8655a |
| SHA512 | 72858c907d1558befca030650b6d0abb6cc0eee7b67edd112f0fcbcb55283ae450de4777a8839993a214da1c4f78ba251ba3d6b2b7b02973347cff207601b49a |
C:\Users\Admin\AppData\Local\Temp\5343.exe
| MD5 | 769e796d195a615491199dcc178f39d7 |
| SHA1 | cd0f2a19ab3a01baa8b2da992d3f2902c60f16cc |
| SHA256 | 1edea0c154bc699abb18a119be5a97d4fed233b41e6bc14d2a6c8583a90089b8 |
| SHA512 | ce93ba5cdc766acf9d1aa517e63e0477af9ecc743b72a098f5e00668d5f92ab59fff031224d6c176359b06885d22bb10339c613accdd435ffc76b78abe9f3e9f |
C:\Windows\windefender.exe
| MD5 | d52a110e8a644ad42e0d39987f44104c |
| SHA1 | 902cc386d545ed58a7f64203d7ab21f2dbe6c210 |
| SHA256 | f578866815f89accb31570f45c894052511294bb38ef813bcd32e4ec24e653af |
| SHA512 | d194af10513ee157f7fd23c2a23c030b11a9aefc09ed90e0f011a3df66c107859ea8b016b0c26b0db2881d6f7e0e470d3e146c2b0dc32636748979894120947e |
C:\Windows\windefender.exe
| MD5 | 06a3afb990a7d4ed8d740fa739415939 |
| SHA1 | c543f51909015a789bf199f4beb9285a37c04eec |
| SHA256 | 62d8e9ed58e04749e3e234b807dfef245debdfc6242589b97cd5371c6d2b3562 |
| SHA512 | f58cb43b92dfe4469abda5d07b7e4f305ead4f40664029a98c5cd03d1959d465e15d9a23e5d31e0bafc2ebdfda6096c7d2083258fce47fa90612db6105e8f0f2 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/2876-411-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\611E.exe
| MD5 | 20de31c5226fde5ddae74894f2e3f618 |
| SHA1 | 03b514401eb1c179f4eec5211f646148de8b0426 |
| SHA256 | 6d5060a8430247a2500bd235d4588710f5ae1c3f8fa48b146914c672f8cc394a |
| SHA512 | aa43a6436aa1dd518f36281b83e25f09d52e72d2f9df316eda8f32ec11296272acfa257c1d37b5a46a72b047fb14f1a25637e5923de7aa30240be78e888a5039 |
C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe
| MD5 | 49ca6dc4705e383d4162260db0d5bf84 |
| SHA1 | b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d |
| SHA256 | 6fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4 |
| SHA512 | 684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f |
memory/5700-428-0x00007FF795150000-0x00007FF795DB2000-memory.dmp
memory/4528-429-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/2804-441-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/4760-448-0x0000000000400000-0x0000000000449000-memory.dmp
memory/4760-452-0x0000000000400000-0x0000000000449000-memory.dmp
C:\containerProviderhost\SSJnjC24t.bat
| MD5 | 08387ad767f4e9e7c670d0eeafe302ef |
| SHA1 | 4ba6af1e421c43ee693b6537a06639c3f50a7abf |
| SHA256 | 2bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672 |
| SHA512 | 94f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f |
C:\containerProviderhost\runtimenetSvc.exe
| MD5 | 92bf2463d72a410bf291db2bbb0176f5 |
| SHA1 | bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f |
| SHA256 | 92883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808 |
| SHA512 | c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300 |
memory/5700-468-0x00007FF795150000-0x00007FF795DB2000-memory.dmp
memory/4528-469-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/4036-556-0x000000001D920000-0x000000001D9ED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FSRA6W5YHr.bat
| MD5 | f729ebef6ff1fe529297eaa249e6de7a |
| SHA1 | 44b6c28705981eebdce8fcd7ba51d9413b2e4fbe |
| SHA256 | 9ef5b5fb4391d4125e926d464e664783fa7e283bf293e2c42d812c9d5e56e4bd |
| SHA512 | 6f27be6fb0f348d38b1c673a84e4ff6b276d2f71095aef1f45ae73924ddf905040a1861947756714d0bb191e3d54f4ce8de6ad5aed3899dc94843eee0536322b |
memory/5700-563-0x00007FF795150000-0x00007FF795DB2000-memory.dmp
memory/4528-564-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/3352-570-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3352-573-0x0000000000400000-0x000000000046D000-memory.dmp
memory/2804-583-0x0000000000400000-0x00000000008DF000-memory.dmp