Analysis Overview
SHA256
7c94ffaf6d76f18ce6bfc6039f9252a4b71d79e483d822aeab0de9b3189b6d0e
Threat Level: Known bad
The file 0b31dc8d9eeaa4a6803873a6c1380c72.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
Lumma Stealer
Djvu Ransomware
DcRat
Detect ZGRat V1
Detected Djvu ransomware
SmokeLoader
ZGRat
Modifies boot configuration data using bcdedit
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Modifies file permissions
Loads dropped DLL
UPX packed file
Deletes itself
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Adds Run key to start application
Suspicious use of SetThreadContext
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Uses Task Scheduler COM API
Runs ping.exe
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Checks SCSI registry key(s)
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-25 22:46
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-25 22:46
Reported
2024-02-25 22:48
Platform
win7-20240221-en
Max time kernel
48s
Max time network
154s
Command Line
Signatures
DcRat
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4867.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4867.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\C5F7.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\2A75.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe
"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\F335.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\4867.exe
C:\Users\Admin\AppData\Local\Temp\4867.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 124
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\4F98.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\60D7.exe
C:\Users\Admin\AppData\Local\Temp\60D7.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240225224701.log C:\Windows\Logs\CBS\CbsPersist_20240225224701.cab
C:\Users\Admin\AppData\Local\Temp\60D7.exe
"C:\Users\Admin\AppData\Local\Temp\60D7.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\B177.exe
C:\Users\Admin\AppData\Local\Temp\B177.exe
C:\Users\Admin\AppData\Local\Temp\C5F7.exe
C:\Users\Admin\AppData\Local\Temp\C5F7.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Users\Admin\AppData\Local\Temp\2A75.exe
C:\Users\Admin\AppData\Local\Temp\2A75.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\3F1E.exe
C:\Users\Admin\AppData\Local\Temp\3F1E.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 560
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\containerProviderhost\SSJnjC24t.bat" "
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\containerProviderhost\runtimenetSvc.exe
"C:\containerProviderhost/runtimenetSvc.exe"
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sw5XpAiijT.bat"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 560
C:\Program Files\Windows Mail\conhost.exe
"C:\Program Files\Windows Mail\conhost.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 175.119.10.231:80 | brusuax.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 172.67.148.138:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 9e22092e-27ce-4342-827f-869e1587c6e1.uuid.createupdate.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | lucasowen.com.tr | udp |
| TR | 185.50.70.125:443 | lucasowen.com.tr | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| US | 8.8.8.8:53 | server3.createupdate.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| IT | 142.251.27.127:19302 | stun3.l.google.com | udp |
| BG | 185.82.216.104:443 | server3.createupdate.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
Files
memory/1740-1-0x0000000000290000-0x0000000000390000-memory.dmp
memory/1740-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/1740-3-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/1192-4-0x0000000002AD0000-0x0000000002AE6000-memory.dmp
memory/1740-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F335.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
memory/1740-20-0x0000000000400000-0x0000000002BE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4867.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/2812-28-0x0000000000840000-0x00000000010EF000-memory.dmp
memory/2812-29-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2812-26-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2812-31-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2812-33-0x0000000000840000-0x00000000010EF000-memory.dmp
memory/2812-32-0x0000000077440000-0x0000000077441000-memory.dmp
memory/2812-35-0x0000000000150000-0x0000000000151000-memory.dmp
\Users\Admin\AppData\Local\Temp\4867.exe
| MD5 | bfc3d2e800d9f0e6aedf087b1d55d571 |
| SHA1 | e38aea030c27c19a661359a0bad16b79a5970408 |
| SHA256 | 272bc0c99a4ac9e6d9bc57d8ae57854e0ad0d0597c1674ba5e0a7e461dfbbb16 |
| SHA512 | 8dc33abffe965ba499a1d6b92555b1113e4370ea0d563d338f2798f8d0ab6149ca3eaaa603c2520800588b27ad364961a4cc822e550eb6cb4f127b0c647532f4 |
\Users\Admin\AppData\Local\Temp\4867.exe
| MD5 | 7bcc790f73552163a046054729b1876e |
| SHA1 | 79afc0e35de1f1569bfb6683da382aa16d63f819 |
| SHA256 | becfa046067511b1f2ffb78eed0b8e948770693b00efa0bd07ef87d2054c3204 |
| SHA512 | 16dd43f84519f9174eefb39f49e95d3813aa820fc5a4e7a9198c81395de31743b0e8525d12256b211b2fd3bd2a232a7da5a66a2ed78ab04917608a49633f6d9e |
\Users\Admin\AppData\Local\Temp\4867.exe
| MD5 | 8ac7bbafcfe426c3ba1f4e950bfd40fd |
| SHA1 | 2cadfb2537dc4f89015aff142b7369acbea9d2f3 |
| SHA256 | 7d0b7a77127cd229c1386fba996792668fcd15429ecdd3780cd4c556673d0438 |
| SHA512 | c26be656bda80555507e72d3e25bd433cd4cb1d5884433d1007512890e0ced92737ad77cabf22a2b22f2a18189da2825c6ab324ffb752701ce96cc5d6a2a06c9 |
C:\Users\Admin\AppData\Local\Temp\Cab56AD.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar579A.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8173aa9a9809c8f404700a30c4bd85ff |
| SHA1 | 1c40bf94aed89ebc0be0877c221c41655f80a775 |
| SHA256 | 34ae91e26cb7ab9f4a13b55df5f6349bb2ca2780109bf7648793cb9d239d26c4 |
| SHA512 | 4011f0a0f1f2cbbb17cda6050b0c219ded39d24dfa139c00da38c32dea7a92c1a04989ebc57f6f6a586e2fe86b1f605cba39f3ab07abeabf70058fd1ce9772a1 |
C:\Users\Admin\AppData\Local\Temp\60D7.exe
| MD5 | 91bac00df09ee29775af8eecb13b0d65 |
| SHA1 | 1a47c74365f13de59866ae23b650ee49aacbdd34 |
| SHA256 | e066ef57b8c3e40557feb4f21e4a5bb2f7d534c5c622dc4dc1a54b796be47f94 |
| SHA512 | eebaeaba087eb8e33546684b8821d9af6df78686ad197e55cd06be972653b3637e292d09180998d898971cf0f5e81a91162a318febdf497bafafc64802ccbf26 |
C:\Users\Admin\AppData\Local\Temp\60D7.exe
| MD5 | 043917600a9aeeddb7ba737b49a8e20d |
| SHA1 | ccd732a8f8a6129d1b141dfb80f831c8a2eca067 |
| SHA256 | 31783815a3a261b988c02a89fccd2b898e12d1ddad164a4421a863b6cf7795c9 |
| SHA512 | f701662d3ecf06924da63b07fe9cfecd72f91f17a28519dd55f4f0266bafbe03805e7fb1fc2d89d857c3b064c88f7e13cb194e692af4f926472e26e28cf76829 |
memory/2168-115-0x0000000003820000-0x0000000003C18000-memory.dmp
memory/2168-116-0x0000000003820000-0x0000000003C18000-memory.dmp
memory/2168-117-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\60D7.exe
| MD5 | 451c55028e06593d57056ab1c1f0262d |
| SHA1 | a8476c606461a14364d5ffc720f3f528e18722b3 |
| SHA256 | 3f3e215a551c777205a4b17117352050736a57f2d72f1f0efa48fb009434d445 |
| SHA512 | b8b5ed745583d8e7185d3aebf1c0cc9b2ef008a5b885528f13315a00624213ccd366158d6e34891c551f1cb5736087c0c40490e52054f22d6503562b4fe8b09e |
memory/2168-119-0x0000000003C20000-0x000000000450B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\60D7.exe
| MD5 | 8cb4a815b78ed4ca1b77b372fa83c06e |
| SHA1 | 7bb3ebdd39b936d38b24928b6392bb16f21d8310 |
| SHA256 | 356c111824df7afe7d7044682a8daed75c92e45c76b5acb3530e3476bfc396d2 |
| SHA512 | 1512da5df4124b522ca00df0c6ff789115279badb9778150b4e38f20d64db4697953d34beb36c7963570e7e8d2f89f8ccf7e3815761f9fd7dd89a2781bacfce3 |
memory/3064-122-0x00000000036C0000-0x0000000003AB8000-memory.dmp
memory/2168-121-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/2168-123-0x0000000003820000-0x0000000003C18000-memory.dmp
memory/3064-124-0x00000000036C0000-0x0000000003AB8000-memory.dmp
memory/3064-125-0x0000000003AC0000-0x00000000043AB000-memory.dmp
memory/3064-126-0x0000000000400000-0x0000000001E0D000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 84aaf416b4ecf55011bca9d15b0e4ea8 |
| SHA1 | 490ceb4cdf574bd89f259e99b7e3cc403bdbaa46 |
| SHA256 | 6026d372c0a50bc46cf0b4807c2a30bff73f9bfa22f9eed7e761a78ef5076aa5 |
| SHA512 | b71a1e9358eef06b17520f7760e83c4da1d28459351093044a80025bb765fea409a58cdc8f655ec91bf5e695326322c25183a2c886d3f368fe1ac190ba2a51f5 |
C:\Windows\rss\csrss.exe
| MD5 | ac968eeef0930c1479975d07db88f282 |
| SHA1 | debe5db3fda0605447920c234bdc9664a222a763 |
| SHA256 | e286ed565cded38eadb08249adf61bd328f5345a1728140ddd1880e6f31df4a4 |
| SHA512 | 64dd01dab78afbcb390fc2f01cd437896154b7f08b65d265d38d452707409e509881dd6106f6c17aaf2c5e1a332a0efd557a3de8eef6597ed61ad96560d5d8c1 |
\Windows\rss\csrss.exe
| MD5 | d622ee354e6d782205f083cbfc4fd0f5 |
| SHA1 | ddfe3676073553bd8b5fb41783b515815099cb63 |
| SHA256 | f35fb8fd60cf60b11a5b5fd26d5dbc2551594b9b81c9aa4168b5b9d4363fa3c6 |
| SHA512 | 24d8a52ac64423eb619ddf938c6097fe82764f084fb91510fb6260fb01c95ee36a25114e869d937cbcf2ee0418b80716fd2ac986c6715a0d425c8563e2816ff5 |
memory/1352-136-0x00000000035B0000-0x00000000039A8000-memory.dmp
memory/3064-135-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/3064-137-0x00000000036C0000-0x0000000003AB8000-memory.dmp
memory/2812-138-0x0000000000840000-0x00000000010EF000-memory.dmp
memory/1352-139-0x00000000035B0000-0x00000000039A8000-memory.dmp
memory/1352-140-0x00000000039B0000-0x000000000429B000-memory.dmp
memory/1352-141-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 6793642305ced3b8af5d2af8eb76887e |
| SHA1 | dbb4e9dec930e2f530cb82cc204b271df3808b4d |
| SHA256 | 550a701dbcebea70df50111a16721984c6650fc4ecddaeb76facf3aadc7cd4cb |
| SHA512 | a93cbff27b89dee0b21981683e308644f792b63a91cadf2d99cbc74855e58bfaea68a5934e478c396c309e7c7274b358882bbe1e598dd7d2445a8ec7b2258d60 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 06f1f3bad8eceb74318d719d4d62787b |
| SHA1 | 6dfdadcfe267cfbe3a5c00a79ee61f0c69e4215c |
| SHA256 | 0ea6b9f2e15f652e920f92fd55a1e098adb6d8bf56d04612cefdc21cbeebb7a7 |
| SHA512 | a503f5451d6ce3e00aab8ca3963c2901c442301962826bcd040b882704672cfcff329c79f53bd9b7cfa42cda29d32d5ebc94d25503854ed857b6a81ea63f27a6 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 20428535ac9ec667fc9723e55336322d |
| SHA1 | daf278aada7eb08533aefae7a15b2b22bf9568d6 |
| SHA256 | 7d242b73f28e487b493b82fbbd9461e889c5661f9a93b63c77c9af5c412fc637 |
| SHA512 | b9597878f425793a879219c584cc7010ad6989379fc1baa2eddcc4232fbc8f8239e95b0cf8555157807f913228b6091322546eb76d5fba8f480a630e201afd95 |
memory/2900-148-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | c9fed534050e76ae25ee38775d0036d3 |
| SHA1 | 5c0979aadc94c10d523ab4a130f6bbe802bd9c5a |
| SHA256 | a3e0f8ec8d16c4a09fc9d779a1646fceb1ff6ee49499bcbf77ba95ebaacd233c |
| SHA512 | 821bf8eaa6268e14a8e0c2e87636c45116fff79f3271896f07ed348640c023f28478ba9f5b38034923423413e27abae2525f3f3039400426cf9298a9e69d99ca |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 71cd71d7967c4cc81a6f7e748537a38f |
| SHA1 | 11e2e6e54197727115e8bcdb3ff2c9734ba2e722 |
| SHA256 | afde9fe27d002cee98c738667a1e2a4f7d05db61a697dd5312626d8b2e86f7e9 |
| SHA512 | da82013b76d7a243c2a32c179b064fc61f866440023423e67a0a90e1220829d021a864a74ce511063739b9175122201e9ffda54afda1a721de8ee716c70a26a2 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 497db25b2064469679fb7751b081367a |
| SHA1 | 28b70c84351762b1db215f477598f56d8104495f |
| SHA256 | e9656b8be80a11d466b85f3466b06539b83b1c995f6e2897ec40fc0615f89610 |
| SHA512 | 2c3d0f1e724184cd5d696841132a740f5aaa30aa98358e439772388b6f611aa6fe99af623985f84f9e211b7aa24a3debbb4085e96c4cc23ec87147bf710640e2 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 9ebbe6a3e6b15514ae5b8fd8f7a82ff3 |
| SHA1 | 6da64aedd85d684e50429688631d493036c38b3e |
| SHA256 | 18ea63cbf0f2745a0231a0c6dec27be239c98831b03f91b4c56b273b4ef7861a |
| SHA512 | 1b71ff7657298393c0e7294bb5f489cf811a0be7b16662a77005457ceafed2342ab0dca3fe5171f4be8bd1ffb5996290279d90860a344dad6fd1682aa1d28497 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | a188fca3dff4da1c65564bf6501662d9 |
| SHA1 | c7dfec62adb2acad59bb7ff780af30fc18d87f9b |
| SHA256 | 2e4d33d7548db88fcb56f352a8d590d6bde721ec6960df7695340a263c19c3cf |
| SHA512 | 43ca746ab43ac1bbb46cb0029545e0a03c41b308acd53365e639b754c8ec5e9d5130fe6e39a93d3b90b2e1bfee779c45b7c264179027ebd1cc299fe7e2bf38f8 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 89d9c6decc9f021290ffce1616ff1770 |
| SHA1 | 1decd8ba6ac92c881d0f188e096ee574b4cba534 |
| SHA256 | 2627081130d7182887394903e4514facafd6e9369c586714c0430e1c738b92ea |
| SHA512 | 432bdcc0b3093bc7c5b87f0463bb1363d0a69f0a874e23c375b510bb6d85d33e4aba760e1a9ed7e3acc3b355e22ceefd1889588d1c4a275e9c3f2209ba04d709 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 203b081081bde025735b5fee8885fd06 |
| SHA1 | f943211cb3e130c0874c5c1a84ea6b42a372901e |
| SHA256 | ff0787c9cef85c027d26b4b3a9dac4592d098b8367b59107016cb8972d1f0305 |
| SHA512 | 49f38ada1275ee1608963c1d576c9e9e6a2a692ad153631bfd9f2d6e5d73f84e6cc874d86fd797b9a3bd2baa7a3d0d7f661c358a3862d80b09a88cadd1002e18 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 488f7bc12de8cec49ea71e02934a25ec |
| SHA1 | 2816d2ba4f0da3c5403fb192c13e2d2230195071 |
| SHA256 | 015b89545aef026dfde882f2fe0352437093c741514846947fb955d2c5c4f672 |
| SHA512 | 870fb4d321f0aa0b674e18bacca094686b2176930f9402c7a9071cb54889f51d36de9d12e6dd170a2dd5129f617697cbf791511329ad5c8c172106a4e7653a71 |
memory/2900-167-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 34af320db44db43fc9a502b1d9db24f9 |
| SHA1 | 3e2005369b6539e4fcf83d486b282a213e9655dc |
| SHA256 | 28c2446b36ed9fe400b4ef71cb168cce4c770e26839d07c5db397d7679705da3 |
| SHA512 | d94fb03566728c1bc8abe0236084803aa8bfa899cfd714d8cd27f5c4ce3d18194ba6f1f9ad3b26a0e763b9490fd0d3eeefa26eb8b179d2d1be6bebf17b039b8c |
C:\Users\Admin\AppData\Local\Temp\B177.exe
| MD5 | 60d211fa6ecc971fb4d8b36f624d05bc |
| SHA1 | fae8f0ff294032ce5c6386f8f9798c173240ed10 |
| SHA256 | fcec2ff0101ebcf550eb07f34d73c9533cbcaf1ad4036d14967681e30cc93d12 |
| SHA512 | 0534167f1250d917f095857c988df4a51fc68cd016de1abe805e0feb06e19739bee4618052ae3b1b41b6a3c9a2c14ef9fb3446fb361247b2309211812a9e49c5 |
\Users\Admin\AppData\Local\Temp\B177.exe
| MD5 | bb49f3db544bc9b40e6730f19bc759b1 |
| SHA1 | 18301c6168471fb5350c972475b3bd52eeec6b24 |
| SHA256 | cd4e1e7d9505e69c81d7b03348ea1f7e94ab2d3ec80393ff754a6350e0f41a57 |
| SHA512 | 97406d6bb2af4622ed64f667ee50f6f9b8cc490d7fa67c327b53784c6de41f5e0e39adf06d877001b95de315d7be2120ab40c933962500cc390506235daf1ebe |
memory/1352-224-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/2808-225-0x000000013F6B0000-0x0000000140312000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9505979acddc91ced90054bcbbfcf748 |
| SHA1 | 1613c5e91bde713b6646d61cd693b012490e0720 |
| SHA256 | b666e10bba6ae4e42f5fc6a6eab3b2b8754b85cb2e6312b6306c5b5b34887a55 |
| SHA512 | 91ac4a37f80214f41a504082f7d33f6425b44154282c36b01c788e6db27426045ef9fa471b66479d9f22bad6a8caec43df50d3b577f6afc6afdbe572d1cc8c1d |
C:\Users\Admin\AppData\Local\Temp\C5F7.exe
| MD5 | 07ef524e5b5f87dacd7d2cf17ce88cb3 |
| SHA1 | 27712ba09de8373bc6fa566650163cd5b1497571 |
| SHA256 | 513aa8921043f08e6cbaad7a901e834795c3f2ae525666f1126c6a81f9c12372 |
| SHA512 | 9dc37aee17ed025c5425e1efe946f829c8b720adc724a8911b09e0416686a9af2278dfd341acec22d1ad574b5610f9fb222cdd41960169e5d5573ebc0c510f6e |
C:\Users\Admin\AppData\Local\Temp\C5F7.exe
| MD5 | 00255994f6d6c88d1ba535494146d9e0 |
| SHA1 | 4841d7bad528b3095a3a32ef69c4d08e3ae30a0a |
| SHA256 | d6a351d21a84b2a2cd93d95e3e9cf4fd6bc4163bdf2084445c3df0dc21b73e2a |
| SHA512 | b2d255f0da3b1977f5924679c5fa572115791dcf16f688532711456573c45199727114e9f4b4cc52974985bb53883733c21c45c82ae162cc3bdf06f1c64d985a |
memory/2672-255-0x0000000000F50000-0x00000000014FA000-memory.dmp
memory/2672-256-0x0000000073140000-0x000000007382E000-memory.dmp
memory/2672-257-0x0000000004F60000-0x0000000004FA0000-memory.dmp
memory/1352-258-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/1352-273-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/1352-274-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | 417983e8ae982d0fd1ad3dbad12147e0 |
| SHA1 | 16e5d41ebcfc4240454299f60ef8b140a856b741 |
| SHA256 | 829a21a88944f7bf5c2987b3586c99716bd778125806e4102df197a46f0bcf39 |
| SHA512 | 313c042a2978af1f6889d2cc8e93647e158b8d8457b71f555f127d021c18b6437118d502c43911ff873bd87c342e30142825a8bfe46758c1ffd9d8ecc96d00ed |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | c1153a17886991a0de4a6340436619bf |
| SHA1 | 92e72408a27af30af6f46a4052663ffec933af83 |
| SHA256 | d8624b4d0d773ad4433f9e9fbbe53468fcf6ed718ffc4f76cf09d759b12af908 |
| SHA512 | 9be91714669550d31f8bce6a38050de622e99f68f71d3099b759f56172c8b3eecf5d7526a79983a983ffc4f0673057233849d316703202f1007fb3efdc96d685 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 8280b78d0530ff3fba5b897f5bd58616 |
| SHA1 | 8d851cffc7e76de1f08e51f092ae3468a37e391b |
| SHA256 | e30c3f61ff31b6b0b0c04742e7cffdc59df2af4ab1828e3e4dfaef001c39cbb6 |
| SHA512 | 9e4e9e82f5470aab7654811f34434e1b7551a265597f35a30be5ec8b58d9d3697b1e20430f1451c674fa87b6c5e4668e1608dbf4278612e850378e75c2fbff6b |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 1bd568042fb288dfebb7e995511b3fde |
| SHA1 | 3a4b25e2a683cac55d5a84484e180f6619544f65 |
| SHA256 | c39946fb8e152db59321126a829c5b42bf42879609d56665a669aaef39373c57 |
| SHA512 | 423544187b9e94f8ed22d231e3c08a7540c5d7e4b973e8ff22aa72eef62052852c6060ed842339af2b1c3a9938b3593d431d87407e088fe2d27552c4f56dbd80 |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 2ba44da2f309471d666d51666c07c267 |
| SHA1 | 62817a0edc81951cc9550c886a673d740474f3ed |
| SHA256 | 0921fb4a205776c6944fe2f1513c135a7d3551986e60f94f1dba3aa6e4feda72 |
| SHA512 | ee539f3614277f76c47ce6374db3f1fbcf6f690c7ea64bc8d31a014d387adb9dbf5e07b21f7384b1429d8e42cb23c7e2af500a1c337237d88cd109add8b0df13 |
memory/1352-285-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
C:\Users\Admin\AppData\Local\Temp\2A75.exe
| MD5 | 3ede7dc31a6b7922fd884b15be040916 |
| SHA1 | a483da79d6100e728166fac4d521abbcd8a91eb8 |
| SHA256 | ca76b4480ef620174813430fc406f7283ce2d1846ab7bf21aad8bce929c387b6 |
| SHA512 | c9ff24bc4507c67b2e51f909510334254f3582642b4df2fdb2729e3437942a78981681f4c71b00a78fe0edcc713f48cdc55ecf1e84097a8d5f7462032eb11f0c |
memory/3060-305-0x0000000073140000-0x000000007382E000-memory.dmp
memory/3060-304-0x0000000000010000-0x0000000000662000-memory.dmp
memory/2672-303-0x0000000073140000-0x000000007382E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2A75.exe
| MD5 | 062a468ec2a6fd72584ecd8724b10448 |
| SHA1 | c2c0c569188bc4fe47646305e4daac20ece19405 |
| SHA256 | 3fd671952ec7ab6934f7fbea8a3bcb32a3ad29aa0f6ad97751f7468d64e9b1cf |
| SHA512 | 0624abb57e3e056f2777b887fc05cd7d77e10e08783e055c0a39a6e81ee7eb1ca71ddc0ab9211aa8f9644a0105065f5583addc440cce13a630284cb377039dfe |
memory/3060-307-0x0000000005070000-0x00000000050B0000-memory.dmp
memory/2672-306-0x0000000004F60000-0x0000000004FA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Users\Admin\AppData\Local\Temp\3F1E.exe
| MD5 | 06c828d3d9c414dbdfa031b76d680357 |
| SHA1 | b37959f077b9ae5a4693f3131b997490d39c3f92 |
| SHA256 | a0e03317addda39ed6a9c66ddc615fbe1dab43d5d15733eda461a5fd138a73e5 |
| SHA512 | f53278759301e9a9a06bf9bcba9b1363ce6b15a26f7abc194f541bdcd78a678e9638d1bff00ed723dd281c9ea7c6fe9a247bb2cb7e11fa8c4cf35bfe6d2a8aeb |
C:\Users\Admin\AppData\Local\Temp\3F1E.exe
| MD5 | 6d32a91acb18b99a10f2b800fae0e4b4 |
| SHA1 | d9c1bb51fff10f4b2651e0ccc1cfc0f05dea50c7 |
| SHA256 | 454f47bd345a11035410fb84c3f32c2af46df79c0e70f8e6b39486d844a096a9 |
| SHA512 | 9bff8ad906ea1b15000829ef2cef286d773e1498d5fc4ac64150f4e7bda5a1873030c27a68695533929c28a46b8a5b7067fa43ac1c57d9070fab8cf8225cbcad |
C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe
| MD5 | 49ca6dc4705e383d4162260db0d5bf84 |
| SHA1 | b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d |
| SHA256 | 6fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4 |
| SHA512 | 684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f |
\Users\Admin\AppData\Local\Temp\C5F7.exe
| MD5 | 8aedb60c96f5aa0ff39964483d838003 |
| SHA1 | ecb89c94ee1e273c50d668993153f642d99d5b0f |
| SHA256 | 600753601451b2266fa752084db91ea2c37ae5802a25c4f3964bffced84b8ea2 |
| SHA512 | a8dffc548ca69190a80ab3812a9bab8f53eef845ce4ff14e05a60ba2cbc42464337b2ef124f3601e6d7419498f8a8921406596a781879575010d88b603941d1c |
\Users\Admin\AppData\Local\Temp\C5F7.exe
| MD5 | 0577d97ed99e68e6917a1b75474f681d |
| SHA1 | 48817a5d49b076a3b11fe97e928889f45664f736 |
| SHA256 | a26b536d138912dfe8296dd4936c8d07b8b164e3469756f6833aa6512704f238 |
| SHA512 | 7b4aa21d7001fc40fc03c11343f89fc49db973e8b0afff478a0bdc8e5defdbb00fc6bf220b4c72059e3ee02310ca8e785d0f4b4aaabb671fed6f0cd7503af88d |
\Users\Admin\AppData\Local\Temp\C5F7.exe
| MD5 | 5a9bcdfd9f45ad1521a1c4fbee3d9c29 |
| SHA1 | 58dbc3d9f4c463fc58787bd0bb4c8607f06dfa43 |
| SHA256 | 5345bde7b6c9333a559c6bede5978e1707ec9bf9fbb75fea32279ae35d1a5f7e |
| SHA512 | e8f4c83f7935d5695beed5865918ad8b280146ce586b0848627af4356e95b2b1da4144bceb58dd82246ab890e11a504de5107b7d2aecff26d7ddf731c8fd5cd1 |
\Users\Admin\AppData\Local\Temp\C5F7.exe
| MD5 | d56f0bb7f58a81069b04b7bd9fe1286b |
| SHA1 | b8de8ab2dcfedd4f8f4c3c726997b6a4a3cf8989 |
| SHA256 | f49c78c005d253a2cca716c7d1258e25b88cd66694722915f833649e18539c71 |
| SHA512 | ac165398f70f66d1e922af021dbe5cd2f95e80fd8e2e43b574a7f3a4eba4c6bfc005d88ac7af9d96eb945558f6e75d13f3f6e0ee95e62f4b1eed4ec074f4a6e2 |
\Users\Admin\AppData\Local\Temp\C5F7.exe
| MD5 | 4070d202d11ce256f7b0efc2f31e5aec |
| SHA1 | 301f951d51524254c07d1721faef52b12ebd0680 |
| SHA256 | 9709e93a13800353c27c9deac31e2dcf87a3434538d895fdaa7e01e1449d4b64 |
| SHA512 | 405ee6d1d8acdf7ecd12ba900419db193bf64de02d21d78828cbd74437330677551664d943981d309b8a1b3c3f2d0f4d9968c7b848066b11ab2b1757b27fe903 |
memory/1352-332-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Windows\windefender.exe
| MD5 | b56f7c3c0e0867358787c895aba1287d |
| SHA1 | 4b2df2210047d02051a73ddecd53f61671ac83e5 |
| SHA256 | f04744ca4fe84d2486ec504fcfddc48ef3f6e8b02345b790e06c989970637776 |
| SHA512 | a146b912b8bfca929bce3b88826a38dfbedaed126eebfab291f34440a972e52e4ee757a574e193df9dbc0561c18764ceea25fd32688a4e6a48f7007fd5e2ce3c |
memory/840-336-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | aa6025bceb9a0a4098fdf1277d273823 |
| SHA1 | 6866e2dd86996d8ca7ca6e9d25b5cf5e4000da0f |
| SHA256 | b8ecdf642db7ad83ba296481c2941231bcf80a5d22922a9af19fa7d2098d7966 |
| SHA512 | 13c150ea7dfdd79519aa0ab265b0be9801c9152ef25901444b71486e12398d5f7722982d411e88275349e4993c2001778d519e9e0a4b6bb12d57b4292e7ad764 |
C:\Windows\windefender.exe
| MD5 | 2870f0ce0db96cc5b6e06b233ac8c21c |
| SHA1 | 964e56e00bb4d367ab71917addb0a9080ac21802 |
| SHA256 | 693a7805cc2994a8f918bf3e9cc451461501ec205db2fbce018d14a5b8eaddb7 |
| SHA512 | b8aa71043cc6f3f6bacc5db2f7242f56d8057dd0d76d1feb890621904e2a4f7461e56dee738850f581d6dfb50c3f4641e525782ff8f07e778db2ffce0a5339c2 |
memory/1852-339-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/840-340-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\containerProviderhost\SSJnjC24t.bat
| MD5 | 08387ad767f4e9e7c670d0eeafe302ef |
| SHA1 | 4ba6af1e421c43ee693b6537a06639c3f50a7abf |
| SHA256 | 2bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672 |
| SHA512 | 94f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f |
memory/1352-341-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\containerProviderhost\runtimenetSvc.exe
| MD5 | abc54c00e6392a095fd8ce6aea041262 |
| SHA1 | 489aaec650adc3883cbfaebff33296da75e84091 |
| SHA256 | d5ab3ce41b84f231a56151df83063a83ac69573de76c1910006e950caf377b5a |
| SHA512 | e1c532d02427c7bab6b08a9ad8a1463d34afe9e9ed9818d612f5176e8750389e1cd6f2c75acba5708a0c75e5a52df38bdd619f666983a079883eead4ecfefb58 |
\containerProviderhost\runtimenetSvc.exe
| MD5 | c968f71f01e7b7f176bf3de2d7a0eeda |
| SHA1 | e0c854fc40a83c021972fda624f92ab901134b1d |
| SHA256 | af108e3b2c23ffe53fa0c34e04c4b408bec668fd2ee1e036b2c587c04be97c6d |
| SHA512 | 62074effa8928e4a7389d4c488e8bf44d975009da16739116ebbaacea1a1c7d212069ae3621d199b031b45760418d0133825ad7364e2bc3b00983422a9c2dc89 |
C:\containerProviderhost\runtimenetSvc.exe
| MD5 | cf734a47b54b3b42694d248acf7715ed |
| SHA1 | 4673103a2b54d3db11b08800d718888f62da1fb8 |
| SHA256 | a83cfaeeaf83227e3cf7300b25d78839311f058fccf69c968e09642c0b5e4f81 |
| SHA512 | 612c1660f33ddf92ae414390d740a05d366c073a143ac751bf0ba83aa653d79f14da73ca1540745012d363a55cdfbc5cb0cc4c08e56d4d0a60b4aa6b6a7c1996 |
\containerProviderhost\runtimenetSvc.exe
| MD5 | b9568de57bb5a0dea6731ec008409f5a |
| SHA1 | 5f412c365378cb800a2ee185eb4a0c6060336330 |
| SHA256 | eacdecf8f8d95fc1587375bb592243a852153cc5f9748df052df8be12c6c41ec |
| SHA512 | cb9e33bdd73222c56f9ad97952e2c31880a7c9e61bcbd91ceabed561ee1ab6c1fe5d1ec459c9a830201e95b12a38834d986c235631c3090ea91bad4d0c74fc9f |
memory/3060-348-0x0000000005070000-0x00000000050B0000-memory.dmp
memory/3060-343-0x0000000073140000-0x000000007382E000-memory.dmp
memory/2012-349-0x0000000000DC0000-0x0000000001122000-memory.dmp
memory/2012-350-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp
memory/2012-351-0x000000001B380000-0x000000001B400000-memory.dmp
memory/2012-352-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/1852-353-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2012-354-0x000000001B380000-0x000000001B400000-memory.dmp
memory/2012-358-0x0000000000430000-0x0000000000456000-memory.dmp
memory/2012-356-0x000000001B380000-0x000000001B400000-memory.dmp
memory/2012-355-0x0000000077010000-0x0000000077011000-memory.dmp
memory/2012-363-0x0000000000410000-0x0000000000420000-memory.dmp
memory/2012-364-0x0000000076FF0000-0x0000000076FF1000-memory.dmp
memory/2012-367-0x0000000000420000-0x0000000000430000-memory.dmp
memory/2012-366-0x0000000076FE0000-0x0000000076FE1000-memory.dmp
memory/2012-370-0x0000000000570000-0x0000000000580000-memory.dmp
memory/2012-371-0x0000000076FC0000-0x0000000076FC1000-memory.dmp
memory/2012-373-0x0000000000580000-0x000000000058E000-memory.dmp
memory/2012-368-0x0000000076FD0000-0x0000000076FD1000-memory.dmp
memory/2012-375-0x0000000000590000-0x000000000059E000-memory.dmp
memory/2012-380-0x0000000076FA0000-0x0000000076FA1000-memory.dmp
memory/2012-384-0x0000000076F90000-0x0000000076F91000-memory.dmp
memory/2012-383-0x00000000005A0000-0x00000000005B0000-memory.dmp
memory/2012-386-0x0000000000A90000-0x0000000000AA6000-memory.dmp
memory/2012-388-0x0000000076F80000-0x0000000076F81000-memory.dmp
memory/2012-387-0x000000001B380000-0x000000001B400000-memory.dmp
memory/2012-381-0x000000001B380000-0x000000001B400000-memory.dmp
memory/2012-390-0x0000000000B30000-0x0000000000B42000-memory.dmp
memory/2012-379-0x0000000076FB0000-0x0000000076FB1000-memory.dmp
memory/2012-378-0x000007FEF4E40000-0x000007FEF582C000-memory.dmp
memory/2012-377-0x0000000000A70000-0x0000000000A82000-memory.dmp
memory/2012-361-0x0000000077000000-0x0000000077001000-memory.dmp
memory/2012-360-0x00000000003E0000-0x00000000003EE000-memory.dmp
C:\Program Files\Windows Mail\conhost.exe
| MD5 | 06bcf9c71afe5545beb650496a988034 |
| SHA1 | 02f777c93abbca2884e4a5a08872569602fd4792 |
| SHA256 | fcdc50f8a54716285b9236733125c135c8b16dc279ebe435373e3a968fb288fd |
| SHA512 | 70eeba0a17981945094f68108348eb3aa8db154350622ef709e8b1b64dd11e0018867ff49e37321f3189d99bc7ce28da8404c83b5e011d623e5ded7592a858e5 |
C:\Users\Admin\AppData\Local\Temp\sw5XpAiijT.bat
| MD5 | 0d3d3fa57ff998456004812f777f909a |
| SHA1 | 22501a852aaac53a26b3d3372dcca212cd140566 |
| SHA256 | 48672852f6bae53cd1f3368445d92b875a46a10da99c79e230c70ff9a21042b2 |
| SHA512 | 9eecb3e70e2117c1b1f6ac1c490046fa9f32b38aa54b9ef1568c97641d2a8073a5c67096e1c0ca9e8616e34669ff05832dd34f1eba612e8d0046e170c403173e |
memory/1352-433-0x0000000000400000-0x0000000001E0D000-memory.dmp
\Users\Admin\AppData\Local\Temp\2A75.exe
| MD5 | 7254eabd4f1a8edcc0c7d8668aca2a82 |
| SHA1 | 775a00fd0715f4baed6a3b044730cda626e3e61d |
| SHA256 | 5516b083890a54a0446aadd00d8f5b081f1a28877d071f83847de600bc8b02f1 |
| SHA512 | a2bcad9b07bd5ef73f8d6ce00dc5eda2863650b589eae62c2559c1cb9fc2d7ad1594a561ba92e1d1b8fa177f18307482874f2a3daaf17b01b9136c6bbb2f3383 |
\Users\Admin\AppData\Local\Temp\2A75.exe
| MD5 | df768bb913fefe371c40bc97b4425963 |
| SHA1 | a9666cab4a45da48ca270bbaa9781afb0978b13e |
| SHA256 | e924278ec7ba0ac36ed91477d33f79ca1ff3b959a7a5a41f94259104975fc37d |
| SHA512 | f7f0a86b2b493de017b0221f3525c70a3091e225d643a9c31339d622992b07f7f2e6cfb193a22865062966f6829258094de16b628f776e1ba8b0686091ae932b |
\Users\Admin\AppData\Local\Temp\2A75.exe
| MD5 | 4a5102554dc64d9f60fb41efc66bd11d |
| SHA1 | d49bc4b822777a24e1563fa069b2c699a13a58c0 |
| SHA256 | 7c2d2dbe44d0366ec1971d417a426deddee2dc9d82a1159237880442bc629a81 |
| SHA512 | 1f4b154510a0457614f7f5d24b5b5b02d6a9c64da1e2bcb38ae39e12553a8eaaeb0af8eb85b75a46a2df92e31607aa43e7f2486f9252c84df7d4cc50f4aa5797 |
\Users\Admin\AppData\Local\Temp\2A75.exe
| MD5 | 2c9a604ee1e578c4d074a42ecf110c3d |
| SHA1 | 7cb65021f15bcfd91d6b37ce32549d2f81d6812f |
| SHA256 | 5ff37ae4808760e39411e80617db36acd51c94411f0843ea3d2b67b938bf30c5 |
| SHA512 | 76b9af53acdaff66d97077a2794359e811826a7d914b77da6ec921a508efa5299621cf5a26eac0b9e4d289c646ceea213a6b92a6c76f3a0ea61186ce2efe95fb |
\Users\Admin\AppData\Local\Temp\2A75.exe
| MD5 | f0ae65828b91a6aaa371388a5aae3434 |
| SHA1 | 527a7e13ae40d50680ca58d94d7eb33a398c3956 |
| SHA256 | d76e88c4faa0703003566102470a2db0654a08c224924b91143c7cf864652940 |
| SHA512 | c02740696cea62de0a5d9414f5758d6e28c2cfe77ebba4204ed894129437ed6b9ab833c6c3fc697bbb1b1972594dd9016552477b50a15939a70ebc3daff4b80b |
C:\Program Files\Windows Mail\conhost.exe
| MD5 | f94e32c967d226d404105a7cabcdf98a |
| SHA1 | 539c82aced86f647fda119d878998dd5fba9a8ae |
| SHA256 | ba89ab21b669ea38779a11a21e68d98f265bfebaa9417bb26d903c6eb3b8d30a |
| SHA512 | 7f9d731935b72e3b776be105bb2c200d4cb85363beef06e5082125ce231d11bacd1f3fe5eb8a3608458f46a63043809090716935945ac4f2cf45a2ebed053e72 |
C:\Program Files\Windows Mail\conhost.exe
| MD5 | d51442479528574072414adc7d4536a5 |
| SHA1 | ec276399593880a56ebdfc03a86e6726a62a8536 |
| SHA256 | 23a2fa95b39dfeb5e4bbf932f643b54fdf0e90aad0984e7404b081277a5e5acd |
| SHA512 | 0e33614f4ddae1f443b6018ac9076384578f9a8aa495106135f1d07e3df07e4fe9158af7c55756bdca2e2f1f35ef531b540c309e1fb908c3b0fd4758f81cddc4 |
memory/1352-473-0x0000000000400000-0x0000000001E0D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-25 22:46
Reported
2024-02-25 22:49
Platform
win10v2004-20240221-en
Max time kernel
118s
Max time network
170s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f649dd18-3502-4a56-afb9-9fb69a04cd97\\6C81.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6C81.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6C81.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A4B9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6C81.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EA7F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FD0E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f649dd18-3502-4a56-afb9-9fb69a04cd97\\6C81.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\6C81.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1720 set thread context of 1160 | N/A | C:\Users\Admin\AppData\Local\Temp\6C81.exe | C:\Users\Admin\AppData\Local\Temp\6C81.exe |
| PID 3512 set thread context of 4728 | N/A | C:\Users\Admin\AppData\Local\Temp\6C81.exe | C:\Users\Admin\AppData\Local\Temp\6C81.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6C81.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\C36E.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe
"C:\Users\Admin\AppData\Local\Temp\0b31dc8d9eeaa4a6803873a6c1380c72.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\486E.bat" "
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\6C81.exe
C:\Users\Admin\AppData\Local\Temp\6C81.exe
C:\Users\Admin\AppData\Local\Temp\6C81.exe
C:\Users\Admin\AppData\Local\Temp\6C81.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\f649dd18-3502-4a56-afb9-9fb69a04cd97" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\A4B9.exe
C:\Users\Admin\AppData\Local\Temp\A4B9.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4D7.bat" "
C:\Users\Admin\AppData\Local\Temp\6C81.exe
"C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
C:\Users\Admin\AppData\Local\Temp\6C81.exe
"C:\Users\Admin\AppData\Local\Temp\6C81.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4728 -ip 4728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 568
C:\Users\Admin\AppData\Local\Temp\C36E.exe
C:\Users\Admin\AppData\Local\Temp\C36E.exe
C:\Users\Admin\AppData\Local\Temp\EA7F.exe
C:\Users\Admin\AppData\Local\Temp\EA7F.exe
C:\Users\Admin\AppData\Local\Temp\FD0E.exe
C:\Users\Admin\AppData\Local\Temp\FD0E.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\C36E.exe
"C:\Users\Admin\AppData\Local\Temp\C36E.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\5BE9.exe
C:\Users\Admin\AppData\Local\Temp\5BE9.exe
C:\Users\Admin\AppData\Local\Temp\81B1.exe
C:\Users\Admin\AppData\Local\Temp\81B1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\containerProviderhost\SSJnjC24t.bat" "
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\containerProviderhost\runtimenetSvc.exe
"C:\containerProviderhost/runtimenetSvc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3756 -ip 3756
C:\Windows\SysWOW64\dialer.exe
"C:\Windows\system32\dialer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 436
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AjfCaQL16X.bat"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3756 -ip 3756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 432
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\RemotePackages\RemoteDesktops\System.exe
"C:\Windows\RemotePackages\RemoteDesktops\System.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 70.174.106.193.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| KR | 211.119.84.111:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 111.84.119.211.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | m2reg.ulm.ac.id | udp |
| ID | 103.23.232.80:80 | m2reg.ulm.ac.id | tcp |
| US | 8.8.8.8:53 | 80.232.23.103.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | mahta-netwotk.click | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | trypokemon.com | udp |
| US | 172.67.185.36:443 | trypokemon.com | tcp |
| US | 8.8.8.8:53 | loftproper.com | udp |
| US | 172.67.148.138:443 | loftproper.com | tcp |
| US | 8.8.8.8:53 | 36.185.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 8.8.8.8:53 | 138.148.67.172.in-addr.arpa | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | valowaves.com | udp |
| US | 172.67.192.62:443 | valowaves.com | tcp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.192.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | lucasowen.com.tr | udp |
| TR | 185.50.70.125:443 | lucasowen.com.tr | tcp |
| US | 8.8.8.8:53 | 125.70.50.185.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| NL | 80.85.246.217:80 | 80.85.246.217 | tcp |
| US | 8.8.8.8:53 | 217.246.85.80.in-addr.arpa | udp |
| RU | 193.106.174.70:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | scandalbasketballoe.shop | udp |
| US | 104.21.60.178:443 | scandalbasketballoe.shop | tcp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | de2d54f7-e9d7-4db9-a5b5-b4ea9fda560b.uuid.createupdate.org | udp |
Files
memory/2172-1-0x0000000002F10000-0x0000000003010000-memory.dmp
memory/2172-2-0x0000000002E80000-0x0000000002E8B000-memory.dmp
memory/2172-3-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/3356-4-0x0000000003290000-0x00000000032A6000-memory.dmp
memory/2172-5-0x0000000000400000-0x0000000002BE0000-memory.dmp
memory/2172-8-0x0000000002E80000-0x0000000002E8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\486E.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |
C:\Users\Admin\AppData\Local\Temp\6C81.exe
| MD5 | 3d196de47911047d26c003e31a878038 |
| SHA1 | c368e8a2dacb6c322064f7f2aeb0b3cbcb274cd9 |
| SHA256 | 19b9c4e7ba38960b14cf6557c7b6b7989009f0a7e368f1936050d1606c4cfc4a |
| SHA512 | 30871d6b7a9d94a602f21a6f5325f017c735db491351b64d9044b497c0f2d1cd8f0988857a358f29e077047ab5800a6384a2aa2ab17a539c2092d8828e87581b |
memory/1720-21-0x00000000036B0000-0x0000000003749000-memory.dmp
memory/1720-22-0x0000000003780000-0x000000000389B000-memory.dmp
memory/1160-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1160-25-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1160-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1160-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1160-38-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A4B9.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/1608-43-0x0000000000AF0000-0x000000000139F000-memory.dmp
memory/1608-44-0x0000000000A60000-0x0000000000A61000-memory.dmp
memory/1608-45-0x0000000000AF0000-0x000000000139F000-memory.dmp
memory/1608-52-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/1608-51-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/1608-50-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/1160-55-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3512-58-0x0000000003740000-0x00000000037E1000-memory.dmp
memory/4728-61-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4728-62-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4728-64-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C36E.exe
| MD5 | 9125f073ab9146a41c4372ffcb64106f |
| SHA1 | a415c399fb870f3f11ec48dc9c86abd825476b16 |
| SHA256 | d225ab3011aa70ba2264b38adf0ef079242ddd2710d15a696d6ebe839e4354fc |
| SHA512 | 0e7e52ac1ec7e0b8c0d6d71da3db89c9c7ff877ae3ea4fb7eb86cff2ea15e51fc1d0c3de57b4f63c6991acf1d23a0c3f7e9f9ae36a7a08778694b98be5fa3cf7 |
C:\Users\Admin\AppData\Local\Temp\C36E.exe
| MD5 | 8cb4a815b78ed4ca1b77b372fa83c06e |
| SHA1 | 7bb3ebdd39b936d38b24928b6392bb16f21d8310 |
| SHA256 | 356c111824df7afe7d7044682a8daed75c92e45c76b5acb3530e3476bfc396d2 |
| SHA512 | 1512da5df4124b522ca00df0c6ff789115279badb9778150b4e38f20d64db4697953d34beb36c7963570e7e8d2f89f8ccf7e3815761f9fd7dd89a2781bacfce3 |
memory/1608-70-0x0000000000AF0000-0x000000000139F000-memory.dmp
memory/4300-71-0x0000000003930000-0x0000000003D36000-memory.dmp
memory/4300-72-0x0000000003E40000-0x000000000472B000-memory.dmp
memory/4300-73-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA7F.exe
| MD5 | ca75882d8187ba628e746abd7eba3869 |
| SHA1 | 29a83b3bf4f57fdc37281b74fe4d895064be7224 |
| SHA256 | 5bf15eac50035138c6ab22024def2cd3181cc69e75d1919ab1205fc7c5db8508 |
| SHA512 | 9559fd32fc8510bbf78a0e6e7c6c97e68797730e27140f184e1569b224b2bc09052b876378aa8cceb70533989de41502037f357f99955b2b7b86a749697afc94 |
C:\Users\Admin\AppData\Local\Temp\EA7F.exe
| MD5 | 78e09df7be2bbd97e6c06db742267982 |
| SHA1 | 49fcfa8c02283bc435cb07d74463232b34f3e615 |
| SHA256 | 60eb4857811bc38ce6a3fab3da9893d1d799f9b4ac0f4ccc502c90ac681bdeff |
| SHA512 | 0498f68a72c1a93b2ae6514f99da3dda68b1530a7fe2fa7abc88b79096cb9b59265374df650cd2000af76b70294038fb70940954a260f78433463fd4f67ab676 |
memory/4300-82-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FD0E.exe
| MD5 | d6c5410b2d9e45c08deaabe2c3e09c65 |
| SHA1 | e7fd29cf3488283bb7b43a31f965b9849c2d55cf |
| SHA256 | f9e3c1a6284370cd7b6f8cb5a54d4d5f639a6fe0eb6c9a293d350e6505a3df75 |
| SHA512 | 3f4a0ba92a7509a2d84aac0fc4d2c8d80144ccc090c664276acb85db487585419f268bb3b27652cdb88010d72ef5bdf66bf56fbfbdf6f4b4a2b2569cb2c3f325 |
C:\Users\Admin\AppData\Local\Temp\FD0E.exe
| MD5 | b5d1b40a3a443d085075c18c856de15c |
| SHA1 | 0d767af1e83a5353ecaa7325e99d124992d53e1b |
| SHA256 | a2e3e342dda47ee3b6c0eff3f6453d07a01f749285465564349f1649597e1aa3 |
| SHA512 | 1629183cd69e6e192550638cca7aa85dec142ab8ce0454fe7bf61241acb0e20511de3c454d3e881eb2aed2440b71416d8a17741936153a8bfc31fffdaec26d88 |
memory/1860-86-0x0000000000B70000-0x000000000111A000-memory.dmp
memory/1860-87-0x00000000728A0000-0x0000000073050000-memory.dmp
memory/1860-89-0x0000000005A60000-0x0000000005A70000-memory.dmp
memory/1860-88-0x0000000005B10000-0x0000000005BAC000-memory.dmp
memory/4844-91-0x00000000029A0000-0x00000000029D6000-memory.dmp
memory/4696-90-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
memory/4844-93-0x00000000728A0000-0x0000000073050000-memory.dmp
memory/4844-94-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/4844-95-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/4844-92-0x00000000054F0000-0x0000000005B18000-memory.dmp
memory/4844-96-0x0000000005300000-0x0000000005322000-memory.dmp
memory/4844-97-0x0000000005C20000-0x0000000005C86000-memory.dmp
memory/4844-98-0x0000000005C90000-0x0000000005CF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oxiceuap.omf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4844-108-0x0000000005E10000-0x0000000006164000-memory.dmp
memory/4844-109-0x0000000006340000-0x000000000635E000-memory.dmp
memory/4844-110-0x0000000006380000-0x00000000063CC000-memory.dmp
memory/4844-111-0x0000000006870000-0x00000000068B4000-memory.dmp
memory/4300-112-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/4300-113-0x0000000003E40000-0x000000000472B000-memory.dmp
memory/4844-114-0x0000000002990000-0x00000000029A0000-memory.dmp
memory/4844-115-0x0000000007670000-0x00000000076E6000-memory.dmp
memory/4844-116-0x0000000007D70000-0x00000000083EA000-memory.dmp
memory/4844-117-0x0000000007710000-0x000000000772A000-memory.dmp
memory/4300-118-0x0000000003930000-0x0000000003D36000-memory.dmp
memory/4844-120-0x000000007FB10000-0x000000007FB20000-memory.dmp
memory/4844-119-0x00000000078E0000-0x0000000007912000-memory.dmp
memory/4844-121-0x00000000742A0000-0x00000000742EC000-memory.dmp
memory/4844-122-0x000000006FF50000-0x00000000702A4000-memory.dmp
memory/4844-132-0x00000000078C0000-0x00000000078DE000-memory.dmp
memory/4844-133-0x0000000007920000-0x00000000079C3000-memory.dmp
memory/4844-134-0x0000000007A00000-0x0000000007A0A000-memory.dmp
memory/4844-135-0x0000000007AC0000-0x0000000007B56000-memory.dmp
memory/4844-136-0x0000000007A20000-0x0000000007A31000-memory.dmp
memory/4844-137-0x0000000007A60000-0x0000000007A6E000-memory.dmp
memory/4844-138-0x0000000007A70000-0x0000000007A84000-memory.dmp
memory/4844-139-0x0000000007B60000-0x0000000007B7A000-memory.dmp
memory/4844-140-0x0000000007AB0000-0x0000000007AB8000-memory.dmp
memory/4844-143-0x00000000728A0000-0x0000000073050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C36E.exe
| MD5 | c4cd2dabf6fe55752749ff664f9f9820 |
| SHA1 | b999a991aa6013a1cfe8d0bf5ee3e7ccd79012c9 |
| SHA256 | ecf58130e5f5905c6ab24345d42aa8ebf185bc45452fe9c93941d774d1d56c2e |
| SHA512 | a2b64bbf37b291dbe3937100d228851024b44a953e91de6fedf1636dcaba7b4c02bcbd33fa21f0ce9fbdfde75a14893501ba583b0ddca0dce6968e67af5b6936 |
memory/4300-146-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/4696-147-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
memory/4300-148-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/3080-149-0x0000000003A30000-0x0000000003E2E000-memory.dmp
memory/3080-150-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5BE9.exe
| MD5 | 266f054b0cfcba0530a7231e8d09a99b |
| SHA1 | 3ed2c1300e2d85b1603e5a9052317589e6b7ed9b |
| SHA256 | 05fa4b3ed672782026fe190d6553cd99ef5b38ba37f70cf89d0de99ff6b50780 |
| SHA512 | 4140284c6195ac45ea2dbf83a7c9b38fba043cff477875737b980fc187be6361f10ed8eb31a0000fc4f2c8732a843272a88d12468790f0806029b0d13b0b4bc8 |
memory/808-155-0x00000000728A0000-0x0000000073050000-memory.dmp
memory/808-156-0x0000000005320000-0x0000000005330000-memory.dmp
memory/808-157-0x0000000005320000-0x0000000005330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5BE9.exe
| MD5 | ce82ed5b937090512e881f7ed9351eaa |
| SHA1 | dd3b34243673a2a96786677f0f4c517de1b3c055 |
| SHA256 | e97fce83b8cddecf3678a025dd38778e183278b43c77cea75aa82c2afa9e9821 |
| SHA512 | 4b62e88f90020db839b1654dfbc734978f5820027198ab0fb363fbd4c108138725679a8b003ab529cda98ae67d6bfefd1b11a88ec291d5046ea59fca132e0806 |
memory/2844-159-0x00000000728A0000-0x0000000073050000-memory.dmp
memory/2844-158-0x00000000001E0000-0x0000000000832000-memory.dmp
memory/1860-160-0x00000000728A0000-0x0000000073050000-memory.dmp
memory/2844-161-0x0000000005160000-0x0000000005170000-memory.dmp
memory/808-167-0x00000000060E0000-0x0000000006434000-memory.dmp
memory/808-172-0x0000000006C40000-0x0000000006C8C000-memory.dmp
memory/4300-173-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/4696-174-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
memory/3080-175-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\81B1.exe
| MD5 | 20de31c5226fde5ddae74894f2e3f618 |
| SHA1 | 03b514401eb1c179f4eec5211f646148de8b0426 |
| SHA256 | 6d5060a8430247a2500bd235d4588710f5ae1c3f8fa48b146914c672f8cc394a |
| SHA512 | aa43a6436aa1dd518f36281b83e25f09d52e72d2f9df316eda8f32ec11296272acfa257c1d37b5a46a72b047fb14f1a25637e5923de7aa30240be78e888a5039 |
C:\Users\Admin\AppData\Local\Temp\81B1.exe
| MD5 | 5650fcd780ba2a27c066848b3d7fadc3 |
| SHA1 | b9081e5dc28a5fa3df2234aab523501bb32991cb |
| SHA256 | c21d644cfc73b7ddc4c19d0f5d7467d808391ff33fca7439c1606288eb63e40c |
| SHA512 | 8c382bf4c2ecc8341ea2720bf5128d8693963c2a812f9e3a69b9508b3392bad4277e69769bd4f06ebde675094ccf3d58209bbda312d9ecf8ee3620045a7d942c |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
memory/4696-203-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
memory/2232-207-0x0000000000400000-0x0000000000449000-memory.dmp
memory/2232-210-0x0000000000400000-0x0000000000449000-memory.dmp
memory/3080-230-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\containerProviderhost\lSHV2TIIXWH4jLBRX.vbe
| MD5 | 49ca6dc4705e383d4162260db0d5bf84 |
| SHA1 | b6e1e8f086245aa07a5c2d352e69a9a2fa5c460d |
| SHA256 | 6fe6c22a6b3c1de777b489d553073631d8c7e2b76738b9700198876521ff7ba4 |
| SHA512 | 684c61fba0a98723a41504bc1e7ce4debe0a785a0eb78f13e1cb291d77aa95aa4e82a80166060be8319a35785f6f710dbbaabf710545c4b9556440477b1bde7f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a3dc24340d188645cdebe2fcd23ced08 |
| SHA1 | 60180c423584d698277d835fd2df835316dbf7e9 |
| SHA256 | 2a3ca623f4d4af100dd58839697ddf6dfb8e1b16e1cf569cda107f8f18ade2c2 |
| SHA512 | f71fc92735d3069e7c3aea9e01e194e6568dff53ea1102b928d7351c8b77b99013db599996e1717978bed9d232ffb1c9c015bf3fcba664dd06356eec16fa7928 |
memory/4696-266-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3ed124cfee56affc64e8878d0a23da44 |
| SHA1 | 3002cbb094eb5b272e5485209f77cf51b51765c5 |
| SHA256 | ebeabff229be43b1f8fccf80defd3bdf57da185b7c1190bdc56bc0e712d671bd |
| SHA512 | 7ad7fb165c203139cd5c52156f0a5d04f027d1b3bd5a30a711702714c779115c5706303ceaccd1762a578280899dc068a77e242bd783529f4ef557b43247d29a |
memory/3080-281-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 2ddc231c26e2e1d968768ac594736c50 |
| SHA1 | 51591ff5c9fbca258f8fcc97433d7a78eb24f3ed |
| SHA256 | c46f50f2c777c3b08e7424344c950c7e17cbfdd92129ac054e51d1f04b7284d8 |
| SHA512 | 3d8a4a123690998b59ff354df399a92e3be53dfd9a39ede866ffa3abc51351fb45e9676f462d594096fd0b3add73194cb0b5904eb363625a49d5cb55065bd0e8 |
C:\Windows\rss\csrss.exe
| MD5 | e7fe0767c5f8b778d2bd973c9d8e20d8 |
| SHA1 | f4d7e20aee899e16c0297cea8090baf6e6c39722 |
| SHA256 | 0e9708a70a95c25bd9a0c1caa29a3b473ed0a46a74ff030c61df3f98c813f1eb |
| SHA512 | ef5acf3a465e5baa84c286763a4b00f8cd34acb35bdb34ff6be7d982516b2b8217d598a7190b7b0146f2041e69c9cc0b074a22fa006e22845bf6da81d7ad926f |
memory/3080-298-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\containerProviderhost\SSJnjC24t.bat
| MD5 | 08387ad767f4e9e7c670d0eeafe302ef |
| SHA1 | 4ba6af1e421c43ee693b6537a06639c3f50a7abf |
| SHA256 | 2bdca7aa3916a7a0bb6e1b22d895b9696f14c1512554a7af00d5dbc048e43672 |
| SHA512 | 94f7743519a768d233130ba4d2b3ccf62f67f0999382cc984051fe5f8ae02deb17926e01482d1e763447d3f54fb3b548ee241d7a40cf34d45d7e968ce8f6975f |
C:\containerProviderhost\runtimenetSvc.exe
| MD5 | 92bf2463d72a410bf291db2bbb0176f5 |
| SHA1 | bcc41c9861ce8ad99e2d951c49c50429b4dc8d7f |
| SHA256 | 92883022e82b89d32c6936ad8f94a35ac1eb0c2313656029977aec1b4973b808 |
| SHA512 | c803d47482aec6ac9c74ee20b401f03f3f2d4a1cc80770e1cf70319cbb7da715ee204cb15e585dbd6d9df0d9fb81254fdb6f6dae5d2147cbbbd85c3cf5b8d300 |
memory/4696-326-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
memory/3756-328-0x0000000000400000-0x000000000046D000-memory.dmp
memory/3756-334-0x0000000000400000-0x000000000046D000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e4fc6d3c5ab3f1926d8869c1349d6688 |
| SHA1 | 8fc66b6aefee97078d72b604835d35f7626b2fe0 |
| SHA256 | 24a514f06e30dd8a309260d37b720544861d02bda94cc68750800eb815581555 |
| SHA512 | d5c13cddb5acb8f2d538b60b637ec19ce1073622996eb565db633f6c207cb8dcdd1b92949e3a6138cf9b4e9fd5b6b0033227376319509cd043d14787b411f69a |
memory/3756-425-0x0000000004300000-0x0000000004700000-memory.dmp
memory/3756-430-0x0000000004300000-0x0000000004700000-memory.dmp
memory/3756-434-0x00007FFF357B0000-0x00007FFF359A5000-memory.dmp
memory/2404-433-0x0000000000400000-0x0000000001E0D000-memory.dmp
C:\Windows\RemotePackages\RemoteDesktops\System.exe
| MD5 | 5fc19e08c5473ce9c2eb49ed1ba02e1a |
| SHA1 | dcf8114269eb5a521ba640baf06539a8e3511424 |
| SHA256 | 3375dd49e1e34fbb3f42300a52ebe4d880f8115dccc9ae1cd32d10c2f49266f3 |
| SHA512 | 900099f77265346cd0e5eb5e5d8c0fb40684b84fe468ce454d65b3848977c0da9fe27ee3c5510627d2a622cd79d2a50070636f66f6efede2c4ab8beb64dc7039 |
memory/3792-443-0x0000000000F50000-0x0000000000F59000-memory.dmp
memory/3756-436-0x00000000755D0000-0x00000000757E5000-memory.dmp
memory/3792-455-0x0000000002CD0000-0x00000000030D0000-memory.dmp
memory/3792-456-0x00007FFF357B0000-0x00007FFF359A5000-memory.dmp
memory/3792-459-0x00000000755D0000-0x00000000757E5000-memory.dmp
memory/2288-462-0x000000001BF50000-0x000000001BF9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AjfCaQL16X.bat
| MD5 | 2dddd3e8023e3cd88c2d193a3183a114 |
| SHA1 | 6ba940af96cd348f661292ba0fd8b88b1a49b232 |
| SHA256 | 7df4d1702dbd09ea4b8d4ecd527a356a7420eab5c81e3604c97b49e2dd42b25f |
| SHA512 | a8bcaebaba6a0df830b5ed8fcdb3ff2eba9096176f388150aa520501b50f9cf774fbf5e68fdc89079a3ee30c1caf49e7b6efc4c1e8250c63723941d6dbe262b8 |
memory/4696-471-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 15abbd0c9a3a9fa9690e7e47407ec4e8 |
| SHA1 | d310de8efc4534aef1882943bb00a9824c34f021 |
| SHA256 | 4ca1929ad79a800831ec1b8e697de3bbcc0671e453af16f07d90b2e5cbc4aaf0 |
| SHA512 | 480cc787c18402c40463a5d7e34e64da6ffcc023aa149a71e9c2e7ad3f69fd7c1540f72c4ef2a3d693e82855482929f9a0137c9781f31354c43f1e00a520eaca |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7940462eaedbb9f344fce5d9127edd70 |
| SHA1 | 02ec495cd2de1ae6f77b67239e6df9b46933c160 |
| SHA256 | 32a14fc4e1a4a87b134c9130962736d9012587d1a9de1702ce2ad99ce4e1606d |
| SHA512 | b0d705599d931ad7b48367236f37877b3071b39800b0722b237e2315728aedd8190bbc53c7d33157e8c0fc01fcc048009ff08439c113d3fd398f26abe598ef52 |
memory/2404-518-0x0000000000400000-0x0000000001E0D000-memory.dmp
memory/4696-541-0x00007FF64C7B0000-0x00007FF64D412000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |