Malware Analysis Report

2024-11-13 14:05

Sample ID 240225-2px4faee45
Target 0b31dc8d9eeaa4a6803873a6c1380c72.exe
SHA256 7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
Tags
dcrat glupteba smokeloader zgrat tfd5 backdoor dropper evasion infostealer loader rat trojan upx djvu lumma discovery persistence ransomware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e

Threat Level: Known bad

The file 0b31dc8d9eeaa4a6803873a6c1380c72.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader zgrat tfd5 backdoor dropper evasion infostealer loader rat trojan upx djvu lumma discovery persistence ransomware stealer

Glupteba payload

Glupteba

Lumma Stealer

Djvu Ransomware

DcRat

Detect ZGRat V1

Detected Djvu ransomware

SmokeLoader

ZGRat

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Modifies file permissions

Loads dropped DLL

UPX packed file

Deletes itself

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Uses Task Scheduler COM API

Runs ping.exe

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 22:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 22:46

Reported

2024-02-25 22:48

Platform

win7-20240221-en

Max time kernel

48s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"

Signatures

DcRat

rat infostealer dcrat

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4867.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2684 N/A N/A C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 2684 N/A N/A C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 2684 N/A N/A C:\Windows\system32\cmd.exe
PID 2684 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2684 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2684 wrote to memory of 2416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1192 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4867.exe
PID 1192 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4867.exe
PID 1192 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4867.exe
PID 1192 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\4867.exe
PID 2812 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4867.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4867.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4867.exe C:\Windows\SysWOW64\WerFault.exe
PID 2812 wrote to memory of 1532 N/A C:\Users\Admin\AppData\Local\Temp\4867.exe C:\Windows\SysWOW64\WerFault.exe
PID 1192 wrote to memory of 2368 N/A N/A C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 2368 N/A N/A C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 2368 N/A N/A C:\Windows\system32\cmd.exe
PID 2368 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2368 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2368 wrote to memory of 836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe

"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F335.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\4867.exe

C:\Users\Admin\AppData\Local\Temp\4867.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\4F98.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\60D7.exe

C:\Users\Admin\AppData\Local\Temp\60D7.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240225224701.log C:\Windows\Logs\CBS\CbsPersist_20240225224701.cab

C:\Users\Admin\AppData\Local\Temp\60D7.exe

"C:\Users\Admin\AppData\Local\Temp\60D7.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\B177.exe

C:\Users\Admin\AppData\Local\Temp\B177.exe

C:\Users\Admin\AppData\Local\Temp\C5F7.exe

C:\Users\Admin\AppData\Local\Temp\C5F7.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Users\Admin\AppData\Local\Temp\2A75.exe

C:\Users\Admin\AppData\Local\Temp\2A75.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\3F1E.exe

C:\Users\Admin\AppData\Local\Temp\3F1E.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 560

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\containerProviderhost\SSJnjC24t.bat" "

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\containerProviderhost\runtimenetSvc.exe

"C:\containerProviderhost/runtimenetSvc.exe"

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sw5XpAiijT.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 560

C:\Program Files\Windows Mail\conhost.exe

"C:\Program Files\Windows Mail\conhost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 175.119.10.231:80 brusuax.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 9e22092e-27ce-4342-827f-869e1587c6e1.uuid.createupdate.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 lucasowen.com.tr udp
TR 185.50.70.125:443 lucasowen.com.tr tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
NL 80.85.246.217:80 80.85.246.217 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server3.createupdate.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
IT 142.251.27.127:19302 stun3.l.google.com udp
BG 185.82.216.104:443 server3.createupdate.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
NL 80.85.246.217:80 80.85.246.217 tcp
NL 80.85.246.217:80 80.85.246.217 tcp

Files

memory/1740-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/1740-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1740-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/1192-4-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/1740-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F335.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1740-20-0x0000000000400000-0x0000000002BE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4867.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2812-28-0x0000000000840000-0x00000000010EF000-memory.dmp

memory/2812-29-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2812-26-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2812-31-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2812-33-0x0000000000840000-0x00000000010EF000-memory.dmp

memory/2812-32-0x0000000077440000-0x0000000077441000-memory.dmp

memory/2812-35-0x0000000000150000-0x0000000000151000-memory.dmp

\Users\Admin\AppData\Local\Temp\4867.exe

MD5 bfc3d2e800d9f0e6aedf087b1d55d571
SHA1 e38aea030c27c19a661359a0bad16b79a5970408
SHA256 272bc0c99a4ac9e6d9bc57d8ae57854e0ad0d0597c1674ba5e0a7e461dfbbb16
SHA512 8dc33abffe965ba499a1d6b92555b1113e4370ea0d563d338f2798f8d0ab6149ca3eaaa603c2520800588b27ad364961a4cc822e550eb6cb4f127b0c647532f4

\Users\Admin\AppData\Local\Temp\4867.exe

MD5 7bcc790f73552163a046054729b1876e
SHA1 79afc0e35de1f1569bfb6683da382aa16d63f819
SHA256 becfa046067511b1f2ffb78eed0b8e948770693b00efa0bd07ef87d2054c3204
SHA512 16dd43f84519f9174eefb39f49e95d3813aa820fc5a4e7a9198c81395de31743b0e8525d12256b211b2fd3bd2a232a7da5a66a2ed78ab04917608a49633f6d9e

\Users\Admin\AppData\Local\Temp\4867.exe

MD5 8ac7bbafcfe426c3ba1f4e950bfd40fd
SHA1 2cadfb2537dc4f89015aff142b7369acbea9d2f3
SHA256 7d0b7a77127cd229c1386fba996792668fcd15429ecdd3780cd4c556673d0438
SHA512 c26be656bda80555507e72d3e25bd433cd4cb1d5884433d1007512890e0ced92737ad77cabf22a2b22f2a18189da2825c6ab324ffb752701ce96cc5d6a2a06c9

C:\Users\Admin\AppData\Local\Temp\Cab56AD.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar579A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8173aa9a9809c8f404700a30c4bd85ff
SHA1 1c40bf94aed89ebc0be0877c221c41655f80a775
SHA256 34ae91e26cb7ab9f4a13b55df5f6349bb2ca2780109bf7648793cb9d239d26c4
SHA512 4011f0a0f1f2cbbb17cda6050b0c219ded39d24dfa139c00da38c32dea7a92c1a04989ebc57f6f6a586e2fe86b1f605cba39f3ab07abeabf70058fd1ce9772a1

C:\Users\Admin\AppData\Local\Temp\60D7.exe

MD5 91bac00df09ee29775af8eecb13b0d65
SHA1 1a47c74365f13de59866ae23b650ee49aacbdd34
SHA256 e066ef57b8c3e40557feb4f21e4a5bb2f7d534c5c622dc4dc1a54b796be47f94
SHA512 eebaeaba087eb8e33546684b8821d9af6df78686ad197e55cd06be972653b3637e292d09180998d898971cf0f5e81a91162a318febdf497bafafc64802ccbf26

C:\Users\Admin\AppData\Local\Temp\60D7.exe

MD5 043917600a9aeeddb7ba737b49a8e20d
SHA1 ccd732a8f8a6129d1b141dfb80f831c8a2eca067
SHA256 31783815a3a261b988c02a89fccd2b898e12d1ddad164a4421a863b6cf7795c9
SHA512 f701662d3ecf06924da63b07fe9cfecd72f91f17a28519dd55f4f0266bafbe03805e7fb1fc2d89d857c3b064c88f7e13cb194e692af4f926472e26e28cf76829

memory/2168-115-0x0000000003820000-0x0000000003C18000-memory.dmp

memory/2168-116-0x0000000003820000-0x0000000003C18000-memory.dmp

memory/2168-117-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60D7.exe

MD5 451c55028e06593d57056ab1c1f0262d
SHA1 a8476c606461a14364d5ffc720f3f528e18722b3
SHA256 3f3e215a551c777205a4b17117352050736a57f2d72f1f0efa48fb009434d445
SHA512 b8b5ed745583d8e7185d3aebf1c0cc9b2ef008a5b885528f13315a00624213ccd366158d6e34891c551f1cb5736087c0c40490e52054f22d6503562b4fe8b09e

memory/2168-119-0x0000000003C20000-0x000000000450B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\60D7.exe

MD5 8cb4a815b78ed4ca1b77b372fa83c06e
SHA1 7bb3ebdd39b936d38b24928b6392bb16f21d8310
SHA256 356c111824df7afe7d7044682a8daed75c92e45c76b5acb3530e3476bfc396d2
SHA512 1512da5df4124b522ca00df0c6ff789115279badb9778150b4e38f20d64db4697953d34beb36c7963570e7e8d2f89f8ccf7e3815761f9fd7dd89a2781bacfce3

memory/3064-122-0x00000000036C0000-0x0000000003AB8000-memory.dmp

memory/2168-121-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/2168-123-0x0000000003820000-0x0000000003C18000-memory.dmp

memory/3064-124-0x00000000036C0000-0x0000000003AB8000-memory.dmp

memory/3064-125-0x0000000003AC0000-0x00000000043AB000-memory.dmp

memory/3064-126-0x0000000000400000-0x0000000001E0D000-memory.dmp

\Windows\rss\csrss.exe

MD5 84aaf416b4ecf55011bca9d15b0e4ea8
SHA1 490ceb4cdf574bd89f259e99b7e3cc403bdbaa46
SHA256 6026d372c0a50bc46cf0b4807c2a30bff73f9bfa22f9eed7e761a78ef5076aa5
SHA512 b71a1e9358eef06b17520f7760e83c4da1d28459351093044a80025bb765fea409a58cdc8f655ec91bf5e695326322c25183a2c886d3f368fe1ac190ba2a51f5

C:\Windows\rss\csrss.exe

MD5 ac968eeef0930c1479975d07db88f282
SHA1 debe5db3fda0605447920c234bdc9664a222a763
SHA256 e286ed565cded38eadb08249adf61bd328f5345a1728140ddd1880e6f31df4a4
SHA512 64dd01dab78afbcb390fc2f01cd437896154b7f08b65d265d38d452707409e509881dd6106f6c17aaf2c5e1a332a0efd557a3de8eef6597ed61ad96560d5d8c1

\Windows\rss\csrss.exe

MD5 d622ee354e6d782205f083cbfc4fd0f5
SHA1 ddfe3676073553bd8b5fb41783b515815099cb63
SHA256 f35fb8fd60cf60b11a5b5fd26d5dbc2551594b9b81c9aa4168b5b9d4363fa3c6
SHA512 24d8a52ac64423eb619ddf938c6097fe82764f084fb91510fb6260fb01c95ee36a25114e869d937cbcf2ee0418b80716fd2ac986c6715a0d425c8563e2816ff5

memory/1352-136-0x00000000035B0000-0x00000000039A8000-memory.dmp

memory/3064-135-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/3064-137-0x00000000036C0000-0x0000000003AB8000-memory.dmp

memory/2812-138-0x0000000000840000-0x00000000010EF000-memory.dmp

memory/1352-139-0x00000000035B0000-0x00000000039A8000-memory.dmp

memory/1352-140-0x00000000039B0000-0x000000000429B000-memory.dmp

memory/1352-141-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 6793642305ced3b8af5d2af8eb76887e
SHA1 dbb4e9dec930e2f530cb82cc204b271df3808b4d
SHA256 550a701dbcebea70df50111a16721984c6650fc4ecddaeb76facf3aadc7cd4cb
SHA512 a93cbff27b89dee0b21981683e308644f792b63a91cadf2d99cbc74855e58bfaea68a5934e478c396c309e7c7274b358882bbe1e598dd7d2445a8ec7b2258d60

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 06f1f3bad8eceb74318d719d4d62787b
SHA1 6dfdadcfe267cfbe3a5c00a79ee61f0c69e4215c
SHA256 0ea6b9f2e15f652e920f92fd55a1e098adb6d8bf56d04612cefdc21cbeebb7a7
SHA512 a503f5451d6ce3e00aab8ca3963c2901c442301962826bcd040b882704672cfcff329c79f53bd9b7cfa42cda29d32d5ebc94d25503854ed857b6a81ea63f27a6

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 20428535ac9ec667fc9723e55336322d
SHA1 daf278aada7eb08533aefae7a15b2b22bf9568d6
SHA256 7d242b73f28e487b493b82fbbd9461e889c5661f9a93b63c77c9af5c412fc637
SHA512 b9597878f425793a879219c584cc7010ad6989379fc1baa2eddcc4232fbc8f8239e95b0cf8555157807f913228b6091322546eb76d5fba8f480a630e201afd95

memory/2900-148-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 c9fed534050e76ae25ee38775d0036d3
SHA1 5c0979aadc94c10d523ab4a130f6bbe802bd9c5a
SHA256 a3e0f8ec8d16c4a09fc9d779a1646fceb1ff6ee49499bcbf77ba95ebaacd233c
SHA512 821bf8eaa6268e14a8e0c2e87636c45116fff79f3271896f07ed348640c023f28478ba9f5b38034923423413e27abae2525f3f3039400426cf9298a9e69d99ca

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 71cd71d7967c4cc81a6f7e748537a38f
SHA1 11e2e6e54197727115e8bcdb3ff2c9734ba2e722
SHA256 afde9fe27d002cee98c738667a1e2a4f7d05db61a697dd5312626d8b2e86f7e9
SHA512 da82013b76d7a243c2a32c179b064fc61f866440023423e67a0a90e1220829d021a864a74ce511063739b9175122201e9ffda54afda1a721de8ee716c70a26a2

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 497db25b2064469679fb7751b081367a
SHA1 28b70c84351762b1db215f477598f56d8104495f
SHA256 e9656b8be80a11d466b85f3466b06539b83b1c995f6e2897ec40fc0615f89610
SHA512 2c3d0f1e724184cd5d696841132a740f5aaa30aa98358e439772388b6f611aa6fe99af623985f84f9e211b7aa24a3debbb4085e96c4cc23ec87147bf710640e2

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 9ebbe6a3e6b15514ae5b8fd8f7a82ff3
SHA1 6da64aedd85d684e50429688631d493036c38b3e
SHA256 18ea63cbf0f2745a0231a0c6dec27be239c98831b03f91b4c56b273b4ef7861a
SHA512 1b71ff7657298393c0e7294bb5f489cf811a0be7b16662a77005457ceafed2342ab0dca3fe5171f4be8bd1ffb5996290279d90860a344dad6fd1682aa1d28497

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 a188fca3dff4da1c65564bf6501662d9
SHA1 c7dfec62adb2acad59bb7ff780af30fc18d87f9b
SHA256 2e4d33d7548db88fcb56f352a8d590d6bde721ec6960df7695340a263c19c3cf
SHA512 43ca746ab43ac1bbb46cb0029545e0a03c41b308acd53365e639b754c8ec5e9d5130fe6e39a93d3b90b2e1bfee779c45b7c264179027ebd1cc299fe7e2bf38f8

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 89d9c6decc9f021290ffce1616ff1770
SHA1 1decd8ba6ac92c881d0f188e096ee574b4cba534
SHA256 2627081130d7182887394903e4514facafd6e9369c586714c0430e1c738b92ea
SHA512 432bdcc0b3093bc7c5b87f0463bb1363d0a69f0a874e23c375b510bb6d85d33e4aba760e1a9ed7e3acc3b355e22ceefd1889588d1c4a275e9c3f2209ba04d709

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 203b081081bde025735b5fee8885fd06
SHA1 f943211cb3e130c0874c5c1a84ea6b42a372901e
SHA256 ff0787c9cef85c027d26b4b3a9dac4592d098b8367b59107016cb8972d1f0305
SHA512 49f38ada1275ee1608963c1d576c9e9e6a2a692ad153631bfd9f2d6e5d73f84e6cc874d86fd797b9a3bd2baa7a3d0d7f661c358a3862d80b09a88cadd1002e18

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 488f7bc12de8cec49ea71e02934a25ec
SHA1 2816d2ba4f0da3c5403fb192c13e2d2230195071
SHA256 015b89545aef026dfde882f2fe0352437093c741514846947fb955d2c5c4f672
SHA512 870fb4d321f0aa0b674e18bacca094686b2176930f9402c7a9071cb54889f51d36de9d12e6dd170a2dd5129f617697cbf791511329ad5c8c172106a4e7653a71

memory/2900-167-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34af320db44db43fc9a502b1d9db24f9
SHA1 3e2005369b6539e4fcf83d486b282a213e9655dc
SHA256 28c2446b36ed9fe400b4ef71cb168cce4c770e26839d07c5db397d7679705da3
SHA512 d94fb03566728c1bc8abe0236084803aa8bfa899cfd714d8cd27f5c4ce3d18194ba6f1f9ad3b26a0e763b9490fd0d3eeefa26eb8b179d2d1be6bebf17b039b8c

C:\Users\Admin\AppData\Local\Temp\B177.exe

MD5 60d211fa6ecc971fb4d8b36f624d05bc
SHA1 fae8f0ff294032ce5c6386f8f9798c173240ed10
SHA256 fcec2ff0101ebcf550eb07f34d73c9533cbcaf1ad4036d14967681e30cc93d12
SHA512 0534167f1250d917f095857c988df4a51fc68cd016de1abe805e0feb06e19739bee4618052ae3b1b41b6a3c9a2c14ef9fb3446fb361247b2309211812a9e49c5

\Users\Admin\AppData\Local\Temp\B177.exe

MD5 bb49f3db544bc9b40e6730f19bc759b1
SHA1 18301c6168471fb5350c972475b3bd52eeec6b24
SHA256 cd4e1e7d9505e69c81d7b03348ea1f7e94ab2d3ec80393ff754a6350e0f41a57
SHA512 97406d6bb2af4622ed64f667ee50f6f9b8cc490d7fa67c327b53784c6de41f5e0e39adf06d877001b95de315d7be2120ab40c933962500cc390506235daf1ebe

memory/1352-224-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/2808-225-0x000000013F6B0000-0x0000000140312000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9505979acddc91ced90054bcbbfcf748
SHA1 1613c5e91bde713b6646d61cd693b012490e0720
SHA256 b666e10bba6ae4e42f5fc6a6eab3b2b8754b85cb2e6312b6306c5b5b34887a55
SHA512 91ac4a37f80214f41a504082f7d33f6425b44154282c36b01c788e6db27426045ef9fa471b66479d9f22bad6a8caec43df50d3b577f6afc6afdbe572d1cc8c1d

C:\Users\Admin\AppData\Local\Temp\C5F7.exe

MD5 07ef524e5b5f87dacd7d2cf17ce88cb3
SHA1 27712ba09de8373bc6fa566650163cd5b1497571
SHA256 513aa8921043f08e6cbaad7a901e834795c3f2ae525666f1126c6a81f9c12372
SHA512 9dc37aee17ed025c5425e1efe946f829c8b720adc724a8911b09e0416686a9af2278dfd341acec22d1ad574b5610f9fb222cdd41960169e5d5573ebc0c510f6e

C:\Users\Admin\AppData\Local\Temp\C5F7.exe

MD5 00255994f6d6c88d1ba535494146d9e0
SHA1 4841d7bad528b3095a3a32ef69c4d08e3ae30a0a
SHA256 d6a351d21a84b2a2cd93d95e3e9cf4fd6bc4163bdf2084445c3df0dc21b73e2a
SHA512 b2d255f0da3b1977f5924679c5fa572115791dcf16f688532711456573c45199727114e9f4b4cc52974985bb53883733c21c45c82ae162cc3bdf06f1c64d985a

memory/2672-255-0x0000000000F50000-0x00000000014FA000-memory.dmp

memory/2672-256-0x0000000073140000-0x000000007382E000-memory.dmp

memory/2672-257-0x0000000004F60000-0x0000000004FA0000-memory.dmp

memory/1352-258-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/1352-273-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/1352-274-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 417983e8ae982d0fd1ad3dbad12147e0
SHA1 16e5d41ebcfc4240454299f60ef8b140a856b741
SHA256 829a21a88944f7bf5c2987b3586c99716bd778125806e4102df197a46f0bcf39
SHA512 313c042a2978af1f6889d2cc8e93647e158b8d8457b71f555f127d021c18b6437118d502c43911ff873bd87c342e30142825a8bfe46758c1ffd9d8ecc96d00ed

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 c1153a17886991a0de4a6340436619bf
SHA1 92e72408a27af30af6f46a4052663ffec933af83
SHA256 d8624b4d0d773ad4433f9e9fbbe53468fcf6ed718ffc4f76cf09d759b12af908
SHA512 9be91714669550d31f8bce6a38050de622e99f68f71d3099b759f56172c8b3eecf5d7526a79983a983ffc4f0673057233849d316703202f1007fb3efdc96d685

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 8280b78d0530ff3fba5b897f5bd58616
SHA1 8d851cffc7e76de1f08e51f092ae3468a37e391b
SHA256 e30c3f61ff31b6b0b0c04742e7cffdc59df2af4ab1828e3e4dfaef001c39cbb6
SHA512 9e4e9e82f5470aab7654811f34434e1b7551a265597f35a30be5ec8b58d9d3697b1e20430f1451c674fa87b6c5e4668e1608dbf4278612e850378e75c2fbff6b

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 1bd568042fb288dfebb7e995511b3fde
SHA1 3a4b25e2a683cac55d5a84484e180f6619544f65
SHA256 c39946fb8e152db59321126a829c5b42bf42879609d56665a669aaef39373c57
SHA512 423544187b9e94f8ed22d231e3c08a7540c5d7e4b973e8ff22aa72eef62052852c6060ed842339af2b1c3a9938b3593d431d87407e088fe2d27552c4f56dbd80

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 2ba44da2f309471d666d51666c07c267
SHA1 62817a0edc81951cc9550c886a673d740474f3ed
SHA256 0921fb4a205776c6944fe2f1513c135a7d3551986e60f94f1dba3aa6e4feda72
SHA512 ee539f3614277f76c47ce6374db3f1fbcf6f690c7ea64bc8d31a014d387adb9dbf5e07b21f7384b1429d8e42cb23c7e2af500a1c337237d88cd109add8b0df13

memory/1352-285-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

C:\Users\Admin\AppData\Local\Temp\2A75.exe

MD5 3ede7dc31a6b7922fd884b15be040916
SHA1 a483da79d6100e728166fac4d521abbcd8a91eb8
SHA256 ca76b4480ef620174813430fc406f7283ce2d1846ab7bf21aad8bce929c387b6
SHA512 c9ff24bc4507c67b2e51f909510334254f3582642b4df2fdb2729e3437942a78981681f4c71b00a78fe0edcc713f48cdc55ecf1e84097a8d5f7462032eb11f0c

memory/3060-305-0x0000000073140000-0x000000007382E000-memory.dmp

memory/3060-304-0x0000000000010000-0x0000000000662000-memory.dmp

memory/2672-303-0x0000000073140000-0x000000007382E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A75.exe

MD5 062a468ec2a6fd72584ecd8724b10448
SHA1 c2c0c569188bc4fe47646305e4daac20ece19405
SHA256 3fd671952ec7ab6934f7fbea8a3bcb32a3ad29aa0f6ad97751f7468d64e9b1cf
SHA512 0624abb57e3e056f2777b887fc05cd7d77e10e08783e055c0a39a6e81ee7eb1ca71ddc0ab9211aa8f9644a0105065f5583addc440cce13a630284cb377039dfe

memory/3060-307-0x0000000005070000-0x00000000050B0000-memory.dmp

memory/2672-306-0x0000000004F60000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Users\Admin\AppData\Local\Temp\3F1E.exe

MD5 06c828d3d9c414dbdfa031b76d680357
SHA1 b37959f077b9ae5a4693f3131b997490d39c3f92
SHA256 a0e03317addda39ed6a9c66ddc615fbe1dab43d5d15733eda461a5fd138a73e5
SHA512 f53278759301e9a9a06bf9bcba9b1363ce6b15a26f7abc194f541bdcd78a678e9638d1bff00ed723dd281c9ea7c6fe9a247bb2cb7e11fa8c4cf35bfe6d2a8aeb

C:\Users\Admin\AppData\Local\Temp\3F1E.exe

MD5 6d32a91acb18b99a10f2b800fae0e4b4
SHA1 d9c1bb51fff10f4b2651e0ccc1cfc0f05dea50c7
SHA256 454f47bd345a11035410fb84c3f32c2af46df79c0e70f8e6b39486d844a096a9
SHA512 9bff8ad906ea1b15000829ef2cef286d773e1498d5fc4ac64150f4e7bda5a1873030c27a68695533929c28a46b8a5b7067fa43ac1c57d9070fab8cf8225cbcad

C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe

MD5 49ca6dc4705e383d4162260db0d5bf84
SHA1 b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d
SHA256 6fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4
SHA512 684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f

\Users\Admin\AppData\Local\Temp\C5F7.exe

MD5 8aedb60c96f5aa0ff39964483d838003
SHA1 ecb89c94ee1e273c50d668993153f642d99d5b0f
SHA256 600753601451b2266fa752084db91ea2c37ae5802a25c4f3964bffced84b8ea2
SHA512 a8dffc548ca69190a80ab3812a9bab8f53eef845ce4ff14e05a60ba2cbc42464337b2ef124f3601e6d7419498f8a8921406596a781879575010d88b603941d1c

\Users\Admin\AppData\Local\Temp\C5F7.exe

MD5 0577d97ed99e68e6917a1b75474f681d
SHA1 48817a5d49b076a3b11fe97e928889f45664f736
SHA256 a26b536d138912dfe8296dd4936c8d07b8b164e3469756f6833aa6512704f238
SHA512 7b4aa21d7001fc40fc03c11343f89fc49db973e8b0afff478a0bdc8e5defdbb00fc6bf220b4c72059e3ee02310ca8e785d0f4b4aaabb671fed6f0cd7503af88d

\Users\Admin\AppData\Local\Temp\C5F7.exe

MD5 5a9bcdfd9f45ad1521a1c4fbee3d9c29
SHA1 58dbc3d9f4c463fc58787bd0bb4c8607f06dfa43
SHA256 5345bde7b6c9333a559c6bede5978e1707ec9bf9fbb75fea32279ae35d1a5f7e
SHA512 e8f4c83f7935d5695beed5865918ad8b280146ce586b0848627af4356e95b2b1da4144bceb58dd82246ab890e11a504de5107b7d2aecff26d7ddf731c8fd5cd1

\Users\Admin\AppData\Local\Temp\C5F7.exe

MD5 d56f0bb7f58a81069b04b7bd9fe1286b
SHA1 b8de8ab2dcfedd4f8f4c3c726997b6a4a3cf8989
SHA256 f49c78c005d253a2cca716c7d1258e25b88cd66694722915f833649e18539c71
SHA512 ac165398f70f66d1e922af021dbe5cd2f95e80fd8e2e43b574a7f3a4eba4c6bfc005d88ac7af9d96eb945558f6e75d13f3f6e0ee95e62f4b1eed4ec074f4a6e2

\Users\Admin\AppData\Local\Temp\C5F7.exe

MD5 4070d202d11ce256f7b0efc2f31e5aec
SHA1 301f951d51524254c07d1721faef52b12ebd0680
SHA256 9709e93a13800353c27c9deac31e2dcf87a3434538d895fdaa7e01e1449d4b64
SHA512 405ee6d1d8acdf7ecd12ba900419db193bf64de02d21d78828cbd74437330677551664d943981d309b8a1b3c3f2d0f4d9968c7b848066b11ab2b1757b27fe903

memory/1352-332-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Windows\windefender.exe

MD5 b56f7c3c0e0867358787c895aba1287d
SHA1 4b2df2210047d02051a73ddecd53f61671ac83e5
SHA256 f04744ca4fe84d2486ec504fcfddc48ef3f6e8b02345b790e06c989970637776
SHA512 a146b912b8bfca929bce3b88826a38dfbedaed126eebfab291f34440a972e52e4ee757a574e193df9dbc0561c18764ceea25fd32688a4e6a48f7007fd5e2ce3c

memory/840-336-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 aa6025bceb9a0a4098fdf1277d273823
SHA1 6866e2dd86996d8ca7ca6e9d25b5cf5e4000da0f
SHA256 b8ecdf642db7ad83ba296481c2941231bcf80a5d22922a9af19fa7d2098d7966
SHA512 13c150ea7dfdd79519aa0ab265b0be9801c9152ef25901444b71486e12398d5f7722982d411e88275349e4993c2001778d519e9e0a4b6bb12d57b4292e7ad764

C:\Windows\windefender.exe

MD5 2870f0ce0db96cc5b6e06b233ac8c21c
SHA1 964e56e00bb4d367ab71917addb0a9080ac21802
SHA256 693a7805cc2994a8f918bf3e9cc451461501ec205db2fbce018d14a5b8eaddb7
SHA512 b8aa71043cc6f3f6bacc5db2f7242f56d8057dd0d76d1feb890621904e2a4f7461e56dee738850f581d6dfb50c3f4641e525782ff8f07e778db2ffce0a5339c2

memory/1852-339-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/840-340-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\containerProviderhost\SSJnjC24t.bat

MD5 08387ad767f4e9e7c670d0eeafe302ef
SHA1 4ba6af1e421c43ee693b6537a06639c3f50a7abf
SHA256 2bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672
SHA512 94f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f

memory/1352-341-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\containerProviderhost\runtimenetSvc.exe

MD5 abc54c00e6392a095fd8ce6aea041262
SHA1 489aaec650adc3883cbfaebff33296da75e84091
SHA256 d5ab3ce41b84f231a56151df83063a83ac69573de76c1910006e950caf377b5a
SHA512 e1c532d02427c7bab6b08a9ad8a1463d34afe9e9ed9818d612f5176e8750389e1cd6f2c75acba5708a0c75e5a52df38bdd619f666983a079883eead4ecfefb58

\containerProviderhost\runtimenetSvc.exe

MD5 c968f71f01e7b7f176bf3de2d7a0eeda
SHA1 e0c854fc40a83c021972fda624f92ab901134b1d
SHA256 af108e3b2c23ffe53fa0c34e04c4b408bec668fd2ee1e036b2c587c04be97c6d
SHA512 62074effa8928e4a7389d4c488e8bf44d975009da16739116ebbaacea1a1c7d212069ae3621d199b031b45760418d0133825ad7364e2bc3b00983422a9c2dc89

C:\containerProviderhost\runtimenetSvc.exe

MD5 cf734a47b54b3b42694d248acf7715ed
SHA1 4673103a2b54d3db11b08800d718888f62da1fb8
SHA256 a83cfaeeaf83227e3cf7300b25d78839311f058fccf69c968e09642c0b5e4f81
SHA512 612c1660f33ddf92ae414390d740a05d366c073a143ac751bf0ba83aa653d79f14da73ca1540745012d363a55cdfbc5cb0cc4c08e56d4d0a60b4aa6b6a7c1996

\containerProviderhost\runtimenetSvc.exe

MD5 b9568de57bb5a0dea6731ec008409f5a
SHA1 5f412c365378cb800a2ee185eb4a0c6060336330
SHA256 eacdecf8f8d95fc1587375bb592243a852153cc5f9748df052df8be12c6c41ec
SHA512 cb9e33bdd73222c56f9ad97952e2c31880a7c9e61bcbd91ceabed561ee1ab6c1fe5d1ec459c9a830201e95b12a38834d986c235631c3090ea91bad4d0c74fc9f

memory/3060-348-0x0000000005070000-0x00000000050B0000-memory.dmp

memory/3060-343-0x0000000073140000-0x000000007382E000-memory.dmp

memory/2012-349-0x0000000000DC0000-0x0000000001122000-memory.dmp

memory/2012-350-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/2012-351-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2012-352-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1852-353-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2012-354-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2012-358-0x0000000000430000-0x0000000000456000-memory.dmp

memory/2012-356-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2012-355-0x0000000077010000-0x0000000077011000-memory.dmp

memory/2012-363-0x0000000000410000-0x0000000000420000-memory.dmp

memory/2012-364-0x0000000076FF0000-0x0000000076FF1000-memory.dmp

memory/2012-367-0x0000000000420000-0x0000000000430000-memory.dmp

memory/2012-366-0x0000000076FE0000-0x0000000076FE1000-memory.dmp

memory/2012-370-0x0000000000570000-0x0000000000580000-memory.dmp

memory/2012-371-0x0000000076FC0000-0x0000000076FC1000-memory.dmp

memory/2012-373-0x0000000000580000-0x000000000058E000-memory.dmp

memory/2012-368-0x0000000076FD0000-0x0000000076FD1000-memory.dmp

memory/2012-375-0x0000000000590000-0x000000000059E000-memory.dmp

memory/2012-380-0x0000000076FA0000-0x0000000076FA1000-memory.dmp

memory/2012-384-0x0000000076F90000-0x0000000076F91000-memory.dmp

memory/2012-383-0x00000000005A0000-0x00000000005B0000-memory.dmp

memory/2012-386-0x0000000000A90000-0x0000000000AA6000-memory.dmp

memory/2012-388-0x0000000076F80000-0x0000000076F81000-memory.dmp

memory/2012-387-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2012-381-0x000000001B380000-0x000000001B400000-memory.dmp

memory/2012-390-0x0000000000B30000-0x0000000000B42000-memory.dmp

memory/2012-379-0x0000000076FB0000-0x0000000076FB1000-memory.dmp

memory/2012-378-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp

memory/2012-377-0x0000000000A70000-0x0000000000A82000-memory.dmp

memory/2012-361-0x0000000077000000-0x0000000077001000-memory.dmp

memory/2012-360-0x00000000003E0000-0x00000000003EE000-memory.dmp

C:\Program Files\Windows Mail\conhost.exe

MD5 06bcf9c71afe5545beb650496a988034
SHA1 02f777c93abbca2884e4a5a08872569602fd4792
SHA256 fcdc50f8a54716285b9236733125c135c8b16dc279ebe435373e3a968fb288fd
SHA512 70eeba0a17981945094f68108348eb3aa8db154350622ef709e8b1b64dd11e0018867ff49e37321f3189d99bc7ce28da8404c83b5e011d623e5ded7592a858e5

C:\Users\Admin\AppData\Local\Temp\sw5XpAiijT.bat

MD5 0d3d3fa57ff998456004812f777f909a
SHA1 22501a852aaac53a26b3d3372dcca212cd140566
SHA256 48672852f6bae53cd1f3368445d92b875a46a10da99c79e230c70ff9a21042b2
SHA512 9eecb3e70e2117c1b1f6ac1c490046fa9f32b38aa54b9ef1568c97641d2a8073a5c67096e1c0ca9e8616e34669ff05832dd34f1eba612e8d0046e170c403173e

memory/1352-433-0x0000000000400000-0x0000000001E0D000-memory.dmp

\Users\Admin\AppData\Local\Temp\2A75.exe

MD5 7254eabd4f1a8edcc0c7d8668aca2a82
SHA1 775a00fd0715f4baed6a3b044730cda626e3e61d
SHA256 5516b083890a54a0446aadd00d8f5b081f1a28877d071f83847de600bc8b02f1
SHA512 a2bcad9b07bd5ef73f8d6ce00dc5eda2863650b589eae62c2559c1cb9fc2d7ad1594a561ba92e1d1b8fa177f18307482874f2a3daaf17b01b9136c6bbb2f3383

\Users\Admin\AppData\Local\Temp\2A75.exe

MD5 df768bb913fefe371c40bc97b4425963
SHA1 a9666cab4a45da48ca270bbaa9781afb0978b13e
SHA256 e924278ec7ba0ac36ed91477d33f79ca1ff3b959a7a5a41f94259104975fc37d
SHA512 f7f0a86b2b493de017b0221f3525c70a3091e225d643a9c31339d622992b07f7f2e6cfb193a22865062966f6829258094de16b628f776e1ba8b0686091ae932b

\Users\Admin\AppData\Local\Temp\2A75.exe

MD5 4a5102554dc64d9f60fb41efc66bd11d
SHA1 d49bc4b822777a24e1563fa069b2c699a13a58c0
SHA256 7c2d2dbe44d0366ec1971d417a426deddee2dc9d82a1159237880442bc629a81
SHA512 1f4b154510a0457614f7f5d24b5b5b02d6a9c64da1e2bcb38ae39e12553a8eaaeb0af8eb85b75a46a2df92e31607aa43e7f2486f9252c84df7d4cc50f4aa5797

\Users\Admin\AppData\Local\Temp\2A75.exe

MD5 2c9a604ee1e578c4d074a42ecf110c3d
SHA1 7cb65021f15bcfd91d6b37ce32549d2f81d6812f
SHA256 5ff37ae4808760e39411e80617db36acd51c94411f0843ea3d2b67b938bf30c5
SHA512 76b9af53acdaff66d97077a2794359e811826a7d914b77da6ec921a508efa5299621cf5a26eac0b9e4d289c646ceea213a6b92a6c76f3a0ea61186ce2efe95fb

\Users\Admin\AppData\Local\Temp\2A75.exe

MD5 f0ae65828b91a6aaa371388a5aae3434
SHA1 527a7e13ae40d50680ca58d94d7eb33a398c3956
SHA256 d76e88c4faa0703003566102470a2db0654a08c224924b91143c7cf864652940
SHA512 c02740696cea62de0a5d9414f5758d6e28c2cfe77ebba4204ed894129437ed6b9ab833c6c3fc697bbb1b1972594dd9016552477b50a15939a70ebc3daff4b80b

C:\Program Files\Windows Mail\conhost.exe

MD5 f94e32c967d226d404105a7cabcdf98a
SHA1 539c82aced86f647fda119d878998dd5fba9a8ae
SHA256 ba89ab21b669ea38779a11a21e68d98f265bfebaa9417bb26d903c6eb3b8d30a
SHA512 7f9d731935b72e3b776be105bb2c200d4cb85363beef06e5082125ce231d11bacd1f3fe5eb8a3608458f46a63043809090716935945ac4f2cf45a2ebed053e72

C:\Program Files\Windows Mail\conhost.exe

MD5 d51442479528574072414adc7d4536a5
SHA1 ec276399593880a56ebdfc03a86e6726a62a8536
SHA256 23a2fa95b39dfeb5e4bbf932f643b54fdf0e90aad0984e7404b081277a5e5acd
SHA512 0e33614f4ddae1f443b6018ac9076384578f9a8aa495106135f1d07e3df07e4fe9158af7c55756bdca2e2f1f35ef531b540c309e1fb908c3b0fd4758f81cddc4

memory/1352-473-0x0000000000400000-0x0000000001E0D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 22:46

Reported

2024-02-25 22:49

Platform

win10v2004-20240221-en

Max time kernel

118s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f649dd18-3502-4a56-afb9-9fb69a04cd97\\6C81.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6C81.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6C81.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f649dd18-3502-4a56-afb9-9fb69a04cd97\\6C81.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6C81.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1720 set thread context of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 set thread context of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3356 wrote to memory of 3000 N/A N/A C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 3000 N/A N/A C:\Windows\system32\cmd.exe
PID 3000 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3000 wrote to memory of 4720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3356 wrote to memory of 1720 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3356 wrote to memory of 1720 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3356 wrote to memory of 1720 N/A N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1720 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1160 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Windows\SysWOW64\icacls.exe
PID 1160 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Windows\SysWOW64\icacls.exe
PID 1160 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Windows\SysWOW64\icacls.exe
PID 3356 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4B9.exe
PID 3356 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4B9.exe
PID 3356 wrote to memory of 1608 N/A N/A C:\Users\Admin\AppData\Local\Temp\A4B9.exe
PID 1160 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1160 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 1160 wrote to memory of 3512 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3356 wrote to memory of 2672 N/A N/A C:\Windows\system32\cmd.exe
PID 3356 wrote to memory of 2672 N/A N/A C:\Windows\system32\cmd.exe
PID 2672 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2672 wrote to memory of 1892 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3512 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\6C81.exe C:\Users\Admin\AppData\Local\Temp\6C81.exe
PID 3356 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe
PID 3356 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe
PID 3356 wrote to memory of 4300 N/A N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe
PID 3356 wrote to memory of 4696 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA7F.exe
PID 3356 wrote to memory of 4696 N/A N/A C:\Users\Admin\AppData\Local\Temp\EA7F.exe
PID 3356 wrote to memory of 1860 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD0E.exe
PID 3356 wrote to memory of 1860 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD0E.exe
PID 3356 wrote to memory of 1860 N/A N/A C:\Users\Admin\AppData\Local\Temp\FD0E.exe
PID 4300 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4300 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3080 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\C36E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe

"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\486E.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\6C81.exe

C:\Users\Admin\AppData\Local\Temp\6C81.exe

C:\Users\Admin\AppData\Local\Temp\6C81.exe

C:\Users\Admin\AppData\Local\Temp\6C81.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f649dd18-3502-4a56-afb9-9fb69a04cd97" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\A4B9.exe

C:\Users\Admin\AppData\Local\Temp\A4B9.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4D7.bat" "

C:\Users\Admin\AppData\Local\Temp\6C81.exe

"C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\6C81.exe

"C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4728 -ip 4728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 568

C:\Users\Admin\AppData\Local\Temp\C36E.exe

C:\Users\Admin\AppData\Local\Temp\C36E.exe

C:\Users\Admin\AppData\Local\Temp\EA7F.exe

C:\Users\Admin\AppData\Local\Temp\EA7F.exe

C:\Users\Admin\AppData\Local\Temp\FD0E.exe

C:\Users\Admin\AppData\Local\Temp\FD0E.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\C36E.exe

"C:\Users\Admin\AppData\Local\Temp\C36E.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5BE9.exe

C:\Users\Admin\AppData\Local\Temp\5BE9.exe

C:\Users\Admin\AppData\Local\Temp\81B1.exe

C:\Users\Admin\AppData\Local\Temp\81B1.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\containerProviderhost\SSJnjC24t.bat" "

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\containerProviderhost\runtimenetSvc.exe

"C:\containerProviderhost/runtimenetSvc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3756 -ip 3756

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 436

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AjfCaQL16X.bat"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 432

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\RemotePackages\RemoteDesktops\System.exe

"C:\Windows\RemotePackages\RemoteDesktops\System.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.111:80 brusuax.com tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mahta-netwotk.click udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 138.148.67.172.in-addr.arpa udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 62.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 lucasowen.com.tr udp
TR 185.50.70.125:443 lucasowen.com.tr tcp
US 8.8.8.8:53 125.70.50.185.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
NL 80.85.246.217:80 80.85.246.217 tcp
US 8.8.8.8:53 217.246.85.80.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 scandalbasketballoe.shop udp
US 104.21.60.178:443 scandalbasketballoe.shop tcp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 de2d54f7-e9d7-4db9-a5b5-b4ea9fda560b.uuid.createupdate.org udp

Files

memory/2172-1-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/2172-2-0x0000000002E80000-0x0000000002E8B000-memory.dmp

memory/2172-3-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/3356-4-0x0000000003290000-0x00000000032A6000-memory.dmp

memory/2172-5-0x0000000000400000-0x0000000002BE0000-memory.dmp

memory/2172-8-0x0000000002E80000-0x0000000002E8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\486E.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\6C81.exe

MD5 3d196de47911047d26c003e31a878038
SHA1 c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9
SHA256 19b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a
SHA512 30871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b

memory/1720-21-0x00000000036B0000-0x0000000003749000-memory.dmp

memory/1720-22-0x0000000003780000-0x000000000389B000-memory.dmp

memory/1160-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1160-38-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A4B9.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/1608-43-0x0000000000AF0000-0x000000000139F000-memory.dmp

memory/1608-44-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/1608-45-0x0000000000AF0000-0x000000000139F000-memory.dmp

memory/1608-52-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1608-51-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1608-50-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/1160-55-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3512-58-0x0000000003740000-0x00000000037E1000-memory.dmp

memory/4728-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4728-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4728-64-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C36E.exe

MD5 9125f073ab9146a41c4372ffcb64106f
SHA1 a415c399fb870f3f11ec48dc9c86abd825476b16
SHA256 d225ab3011aa70ba2264b38adf0ef079242ddd2710d15a696d6ebe839e4354fc
SHA512 0e7e52ac1ec7e0b8c0d6d71da3db89c9c7ff877ae3ea4fb7eb86cff2ea15e51fc1d0c3de57b4f63c6991acf1d23a0c3f7e9f9ae36a7a08778694b98be5fa3cf7

C:\Users\Admin\AppData\Local\Temp\C36E.exe

MD5 8cb4a815b78ed4ca1b77b372fa83c06e
SHA1 7bb3ebdd39b936d38b24928b6392bb16f21d8310
SHA256 356c111824df7afe7d7044682a8daed75c92e45c76b5acb3530e3476bfc396d2
SHA512 1512da5df4124b522ca00df0c6ff789115279badb9778150b4e38f20d64db4697953d34beb36c7963570e7e8d2f89f8ccf7e3815761f9fd7dd89a2781bacfce3

memory/1608-70-0x0000000000AF0000-0x000000000139F000-memory.dmp

memory/4300-71-0x0000000003930000-0x0000000003D36000-memory.dmp

memory/4300-72-0x0000000003E40000-0x000000000472B000-memory.dmp

memory/4300-73-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA7F.exe

MD5 ca75882d8187ba628e746abd7eba3869
SHA1 29a83b3bf4f57fdc37281b74fe4d895064be7224
SHA256 5bf15eac50035138c6ab22024def2cd3181cc69e75d1919ab1205fc7c5db8508
SHA512 9559fd32fc8510bbf78a0e6e7c6c97e68797730e27140f184e1569b224b2bc09052b876378aa8cceb70533989de41502037f357f99955b2b7b86a749697afc94

C:\Users\Admin\AppData\Local\Temp\EA7F.exe

MD5 78e09df7be2bbd97e6c06db742267982
SHA1 49fcfa8c02283bc435cb07d74463232b34f3e615
SHA256 60eb4857811bc38ce6a3fab3da9893d1d799f9b4ac0f4ccc502c90ac681bdeff
SHA512 0498f68a72c1a93b2ae6514f99da3dda68b1530a7fe2fa7abc88b79096cb9b59265374df650cd2000af76b70294038fb70940954a260f78433463fd4f67ab676

memory/4300-82-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FD0E.exe

MD5 d6c5410b2d9e45c08deaabe2c3e09c65
SHA1 e7fd29cf3488283bb7b43a31f965b9849c2d55cf
SHA256 f9e3c1a6284370cd7b6f8cb5a54d4d5f639a6fe0eb6c9a293d350e6505a3df75
SHA512 3f4a0ba92a7509a2d84aac0fc4d2c8d80144ccc090c664276acb85db487585419f268bb3b27652cdb88010d72ef5bdf66bf56fbfbdf6f4b4a2b2569cb2c3f325

C:\Users\Admin\AppData\Local\Temp\FD0E.exe

MD5 b5d1b40a3a443d085075c18c856de15c
SHA1 0d767af1e83a5353ecaa7325e99d124992d53e1b
SHA256 a2e3e342dda47ee3b6c0eff3f6453d07a01f749285465564349f1649597e1aa3
SHA512 1629183cd69e6e192550638cca7aa85dec142ab8ce0454fe7bf61241acb0e20511de3c454d3e881eb2aed2440b71416d8a17741936153a8bfc31fffdaec26d88

memory/1860-86-0x0000000000B70000-0x000000000111A000-memory.dmp

memory/1860-87-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/1860-89-0x0000000005A60000-0x0000000005A70000-memory.dmp

memory/1860-88-0x0000000005B10000-0x0000000005BAC000-memory.dmp

memory/4844-91-0x00000000029A0000-0x00000000029D6000-memory.dmp

memory/4696-90-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

memory/4844-93-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/4844-94-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/4844-95-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/4844-92-0x00000000054F0000-0x0000000005B18000-memory.dmp

memory/4844-96-0x0000000005300000-0x0000000005322000-memory.dmp

memory/4844-97-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/4844-98-0x0000000005C90000-0x0000000005CF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxiceuap.omf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4844-108-0x0000000005E10000-0x0000000006164000-memory.dmp

memory/4844-109-0x0000000006340000-0x000000000635E000-memory.dmp

memory/4844-110-0x0000000006380000-0x00000000063CC000-memory.dmp

memory/4844-111-0x0000000006870000-0x00000000068B4000-memory.dmp

memory/4300-112-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4300-113-0x0000000003E40000-0x000000000472B000-memory.dmp

memory/4844-114-0x0000000002990000-0x00000000029A0000-memory.dmp

memory/4844-115-0x0000000007670000-0x00000000076E6000-memory.dmp

memory/4844-116-0x0000000007D70000-0x00000000083EA000-memory.dmp

memory/4844-117-0x0000000007710000-0x000000000772A000-memory.dmp

memory/4300-118-0x0000000003930000-0x0000000003D36000-memory.dmp

memory/4844-120-0x000000007FB10000-0x000000007FB20000-memory.dmp

memory/4844-119-0x00000000078E0000-0x0000000007912000-memory.dmp

memory/4844-121-0x00000000742A0000-0x00000000742EC000-memory.dmp

memory/4844-122-0x000000006FF50000-0x00000000702A4000-memory.dmp

memory/4844-132-0x00000000078C0000-0x00000000078DE000-memory.dmp

memory/4844-133-0x0000000007920000-0x00000000079C3000-memory.dmp

memory/4844-134-0x0000000007A00000-0x0000000007A0A000-memory.dmp

memory/4844-135-0x0000000007AC0000-0x0000000007B56000-memory.dmp

memory/4844-136-0x0000000007A20000-0x0000000007A31000-memory.dmp

memory/4844-137-0x0000000007A60000-0x0000000007A6E000-memory.dmp

memory/4844-138-0x0000000007A70000-0x0000000007A84000-memory.dmp

memory/4844-139-0x0000000007B60000-0x0000000007B7A000-memory.dmp

memory/4844-140-0x0000000007AB0000-0x0000000007AB8000-memory.dmp

memory/4844-143-0x00000000728A0000-0x0000000073050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C36E.exe

MD5 c4cd2dabf6fe55752749ff664f9f9820
SHA1 b999a991aa6013a1cfe8d0bf5ee3e7ccd79012c9
SHA256 ecf58130e5f5905c6ab24345d42aa8ebf185bc45452fe9c93941d774d1d56c2e
SHA512 a2b64bbf37b291dbe3937100d228851024b44a953e91de6fedf1636dcaba7b4c02bcbd33fa21f0ce9fbdfde75a14893501ba583b0ddca0dce6968e67af5b6936

memory/4300-146-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4696-147-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

memory/4300-148-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/3080-149-0x0000000003A30000-0x0000000003E2E000-memory.dmp

memory/3080-150-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5BE9.exe

MD5 266f054b0cfcba0530a7231e8d09a99b
SHA1 3ed2c1300e2d85b1603e5a9052317589e6b7ed9b
SHA256 05fa4b3ed672782026fe190d6553cd99ef5b38ba37f70cf89d0de99ff6b50780
SHA512 4140284c6195ac45ea2dbf83a7c9b38fba043cff477875737b980fc187be6361f10ed8eb31a0000fc4f2c8732a843272a88d12468790f0806029b0d13b0b4bc8

memory/808-155-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/808-156-0x0000000005320000-0x0000000005330000-memory.dmp

memory/808-157-0x0000000005320000-0x0000000005330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5BE9.exe

MD5 ce82ed5b937090512e881f7ed9351eaa
SHA1 dd3b34243673a2a96786677f0f4c517de1b3c055
SHA256 e97fce83b8cddecf3678a025dd38778e183278b43c77cea75aa82c2afa9e9821
SHA512 4b62e88f90020db839b1654dfbc734978f5820027198ab0fb363fbd4c108138725679a8b003ab529cda98ae67d6bfefd1b11a88ec291d5046ea59fca132e0806

memory/2844-159-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/2844-158-0x00000000001E0000-0x0000000000832000-memory.dmp

memory/1860-160-0x00000000728A0000-0x0000000073050000-memory.dmp

memory/2844-161-0x0000000005160000-0x0000000005170000-memory.dmp

memory/808-167-0x00000000060E0000-0x0000000006434000-memory.dmp

memory/808-172-0x0000000006C40000-0x0000000006C8C000-memory.dmp

memory/4300-173-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4696-174-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

memory/3080-175-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81B1.exe

MD5 20de31c5226fde5ddae74894f2e3f618
SHA1 03b514401eb1c179f4eec5211f646148de8b0426
SHA256 6d5060a8430247a2500bd235d4588710f5ae1c3f8fa48b146914c672f8cc394a
SHA512 aa43a6436aa1dd518f36281b83e25f09d52e72d2f9df316eda8f32ec11296272acfa257c1d37b5a46a72b047fb14f1a25637e5923de7aa30240be78e888a5039

C:\Users\Admin\AppData\Local\Temp\81B1.exe

MD5 5650fcd780ba2a27c066848b3d7fadc3
SHA1 b9081e5dc28a5fa3df2234aab523501bb32991cb
SHA256 c21d644cfc73b7ddc4c19d0f5d7467d808391ff33fca7439c1606288eb63e40c
SHA512 8c382bf4c2ecc8341ea2720bf5128d8693963c2a812f9e3a69b9508b3392bad4277e69769bd4f06ebde675094ccf3d58209bbda312d9ecf8ee3620045a7d942c

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/4696-203-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

memory/2232-207-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2232-210-0x0000000000400000-0x0000000000449000-memory.dmp

memory/3080-230-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe

MD5 49ca6dc4705e383d4162260db0d5bf84
SHA1 b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d
SHA256 6fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4
SHA512 684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a3dc24340d188645cdebe2fcd23ced08
SHA1 60180c423584d698277d835fd2df835316dbf7e9
SHA256 2a3ca623f4d4af100dd58839697ddf6dfb8e1b16e1cf569cda107f8f18ade2c2
SHA512 f71fc92735d3069e7c3aea9e01e194e6568dff53ea1102b928d7351c8b77b99013db599996e1717978bed9d232ffb1c9c015bf3fcba664dd06356eec16fa7928

memory/4696-266-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3ed124cfee56affc64e8878d0a23da44
SHA1 3002cbb094eb5b272e5485209f77cf51b51765c5
SHA256 ebeabff229be43b1f8fccf80defd3bdf57da185b7c1190bdc56bc0e712d671bd
SHA512 7ad7fb165c203139cd5c52156f0a5d04f027d1b3bd5a30a711702714c779115c5706303ceaccd1762a578280899dc068a77e242bd783529f4ef557b43247d29a

memory/3080-281-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 2ddc231c26e2e1d968768ac594736c50
SHA1 51591ff5c9fbca258f8fcc97433d7a78eb24f3ed
SHA256 c46f50f2c777c3b08e7424344c950c7e17cbfdd92129ac054e51d1f04b7284d8
SHA512 3d8a4a123690998b59ff354df399a92e3be53dfd9a39ede866ffa3abc51351fb45e9676f462d594096fd0b3add73194cb0b5904eb363625a49d5cb55065bd0e8

C:\Windows\rss\csrss.exe

MD5 e7fe0767c5f8b778d2bd973c9d8e20d8
SHA1 f4d7e20aee899e16c0297cea8090baf6e6c39722
SHA256 0e9708a70a95c25bd9a0c1caa29a3b473ed0a46a74ff030c61df3f98c813f1eb
SHA512 ef5acf3a465e5baa84c286763a4b00f8cd34acb35bdb34ff6be7d982516b2b8217d598a7190b7b0146f2041e69c9cc0b074a22fa006e22845bf6da81d7ad926f

memory/3080-298-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\containerProviderhost\SSJnjC24t.bat

MD5 08387ad767f4e9e7c670d0eeafe302ef
SHA1 4ba6af1e421c43ee693b6537a06639c3f50a7abf
SHA256 2bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672
SHA512 94f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f

C:\containerProviderhost\runtimenetSvc.exe

MD5 92bf2463d72a410bf291db2bbb0176f5
SHA1 bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f
SHA256 92883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808
SHA512 c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300

memory/4696-326-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

memory/3756-328-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3756-334-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4fc6d3c5ab3f1926d8869c1349d6688
SHA1 8fc66b6aefee97078d72b604835d35f7626b2fe0
SHA256 24a514f06e30dd8a309260d37b720544861d02bda94cc68750800eb815581555
SHA512 d5c13cddb5acb8f2d538b60b637ec19ce1073622996eb565db633f6c207cb8dcdd1b92949e3a6138cf9b4e9fd5b6b0033227376319509cd043d14787b411f69a

memory/3756-425-0x0000000004300000-0x0000000004700000-memory.dmp

memory/3756-430-0x0000000004300000-0x0000000004700000-memory.dmp

memory/3756-434-0x00007FFF357B0000-0x00007FFF359A5000-memory.dmp

memory/2404-433-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Windows\RemotePackages\RemoteDesktops\System.exe

MD5 5fc19e08c5473ce9c2eb49ed1ba02e1a
SHA1 dcf8114269eb5a521ba640baf06539a8e3511424
SHA256 3375dd49e1e34fbb3f42300a52ebe4d880f8115dccc9ae1cd32d10c2f49266f3
SHA512 900099f77265346cd0e5eb5e5d8c0fb40684b84fe468ce454d65b3848977c0da9fe27ee3c5510627d2a622cd79d2a50070636f66f6efede2c4ab8beb64dc7039

memory/3792-443-0x0000000000F50000-0x0000000000F59000-memory.dmp

memory/3756-436-0x00000000755D0000-0x00000000757E5000-memory.dmp

memory/3792-455-0x0000000002CD0000-0x00000000030D0000-memory.dmp

memory/3792-456-0x00007FFF357B0000-0x00007FFF359A5000-memory.dmp

memory/3792-459-0x00000000755D0000-0x00000000757E5000-memory.dmp

memory/2288-462-0x000000001BF50000-0x000000001BF9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AjfCaQL16X.bat

MD5 2dddd3e8023e3cd88c2d193a3183a114
SHA1 6ba940af96cd348f661292ba0fd8b88b1a49b232
SHA256 7df4d1702dbd09ea4b8d4ecd527a356a7420eab5c81e3604c97b49e2dd42b25f
SHA512 a8bcaebaba6a0df830b5ed8fcdb3ff2eba9096176f388150aa520501b50f9cf774fbf5e68fdc89079a3ee30c1caf49e7b6efc4c1e8250c63723941d6dbe262b8

memory/4696-471-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 15abbd0c9a3a9fa9690e7e47407ec4e8
SHA1 d310de8efc4534aef1882943bb00a9824c34f021
SHA256 4ca1929ad79a800831ec1b8e697de3bbcc0671e453af16f07d90b2e5cbc4aaf0
SHA512 480cc787c18402c40463a5d7e34e64da6ffcc023aa149a71e9c2e7ad3f69fd7c1540f72c4ef2a3d693e82855482929f9a0137c9781f31354c43f1e00a520eaca

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7940462eaedbb9f344fce5d9127edd70
SHA1 02ec495cd2de1ae6f77b67239e6df9b46933c160
SHA256 32a14fc4e1a4a87b134c9130962736d9012587d1a9de1702ce2ad99ce4e1606d
SHA512 b0d705599d931ad7b48367236f37877b3071b39800b0722b237e2315728aedd8190bbc53c7d33157e8c0fc01fcc048009ff08439c113d3fd398f26abe598ef52

memory/2404-518-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4696-541-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5