Malware Analysis Report

2024-11-15 06:18

Sample ID 240227-p8648shh9w
Target 6958ACC382E71103A0B83D20BBBB37D2.exe
SHA256 078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164
Tags
dcrat djvu glupteba lumma rhadamanthys smokeloader zgrat tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

078f586ebb8a22305540fb5982b2521f1b82e4317f286e13bab680fff0a9d164

Threat Level: Known bad

The file 6958ACC382E71103A0B83D20BBBB37D2.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba lumma rhadamanthys smokeloader zgrat tfd5 backdoor discovery dropper evasion infostealer loader persistence ransomware rat rootkit stealer trojan upx

SmokeLoader

Rhadamanthys

Djvu Ransomware

Glupteba payload

Lumma Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Detected Djvu ransomware

ZGRat

DcRat

Glupteba

Detect ZGRat V1

Modifies Windows Firewall

Downloads MZ/PE file

Modifies file permissions

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

UPX packed file

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 13:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 13:01

Reported

2024-02-27 13:03

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

158s

Command Line

sihost.exe

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c3074f8d-3146-4d14-9731-666ebdb3c4f1\\C620.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C620.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Rhadamanthys

stealer rhadamanthys

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3068 created 2540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\system32\sihost.exe

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C620.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\74F4.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c3074f8d-3146-4d14-9731-666ebdb3c4f1\\C620.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C620.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\223E.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1502 = "Turkey Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-192 = "Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\223E.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 4812 N/A N/A C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 4812 N/A N/A C:\Windows\system32\cmd.exe
PID 4812 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4812 wrote to memory of 1644 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3396 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3396 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3396 wrote to memory of 3004 N/A N/A C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3004 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 1848 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Windows\SysWOW64\icacls.exe
PID 1848 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Windows\SysWOW64\icacls.exe
PID 1848 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Windows\SysWOW64\icacls.exe
PID 1848 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 1848 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 1848 wrote to memory of 3772 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3396 wrote to memory of 3592 N/A N/A C:\Windows\system32\taskmgr.exe
PID 3396 wrote to memory of 3592 N/A N/A C:\Windows\system32\taskmgr.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3772 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\C620.exe C:\Users\Admin\AppData\Local\Temp\C620.exe
PID 3396 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe
PID 3396 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe
PID 3396 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2580 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\D97A.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3396 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\124E.exe
PID 3396 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\124E.exe
PID 3396 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\124E.exe
PID 3396 wrote to memory of 3668 N/A N/A C:\Windows\system32\cmd.exe
PID 3396 wrote to memory of 3668 N/A N/A C:\Windows\system32\cmd.exe
PID 3668 wrote to memory of 3200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3668 wrote to memory of 3200 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3396 wrote to memory of 876 N/A N/A C:\Users\Admin\AppData\Local\Temp\223E.exe
PID 3396 wrote to memory of 876 N/A N/A C:\Users\Admin\AppData\Local\Temp\223E.exe
PID 3396 wrote to memory of 876 N/A N/A C:\Users\Admin\AppData\Local\Temp\223E.exe
PID 876 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\223E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\223E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 876 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\223E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\223E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\223E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 236 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\223E.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3396 wrote to memory of 4364 N/A N/A C:\Users\Admin\AppData\Local\Temp\566E.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\sihost.exe

sihost.exe

C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe

"C:\Users\Admin\AppData\Local\Temp\6958ACC382E71103A0B83D20BBBB37D2.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AFF7.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\C620.exe

C:\Users\Admin\AppData\Local\Temp\C620.exe

C:\Users\Admin\AppData\Local\Temp\C620.exe

C:\Users\Admin\AppData\Local\Temp\C620.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c3074f8d-3146-4d14-9731-666ebdb3c4f1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\C620.exe

"C:\Users\Admin\AppData\Local\Temp\C620.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Users\Admin\AppData\Local\Temp\C620.exe

"C:\Users\Admin\AppData\Local\Temp\C620.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2832 -ip 2832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 568

C:\Users\Admin\AppData\Local\Temp\D97A.exe

C:\Users\Admin\AppData\Local\Temp\D97A.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\124E.exe

C:\Users\Admin\AppData\Local\Temp\124E.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1656.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\223E.exe

C:\Users\Admin\AppData\Local\Temp\223E.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\223E.exe

"C:\Users\Admin\AppData\Local\Temp\223E.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\566E.exe

C:\Users\Admin\AppData\Local\Temp\566E.exe

C:\Users\Admin\AppData\Local\Temp\74F4.exe

C:\Users\Admin\AppData\Local\Temp\74F4.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3068 -ip 3068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3068 -ip 3068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 432

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
KR 211.119.84.111:80 brusuax.com tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 188.114.97.2:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 8.8.8.8:53 healthproline.pro udp
US 104.21.16.186:443 healthproline.pro tcp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 186.16.21.104.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 104.21.51.193:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 188.114.96.2:443 loftproper.com tcp
US 8.8.8.8:53 193.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 188.114.97.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 104.21.80.118:443 technologyenterdo.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 172.67.195.126:443 detectordiscusser.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 valowaves.com udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 104.21.51.243:443 valowaves.com tcp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 ef045008-77ad-4cbd-8e4f-d079f340a4c5.uuid.datadumpcloud.org udp
US 8.8.8.8:53 server11.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp
US 8.8.8.8:53 248.249.33.3.in-addr.arpa udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp
BG 185.82.216.104:443 server11.datadumpcloud.org tcp

Files

memory/1128-1-0x0000000000710000-0x0000000000810000-memory.dmp

memory/1128-2-0x00000000006B0000-0x00000000006BB000-memory.dmp

memory/1128-3-0x0000000000400000-0x000000000044A000-memory.dmp

memory/3396-4-0x0000000002620000-0x0000000002636000-memory.dmp

memory/1128-5-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AFF7.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\C620.exe

MD5 a9760450802b7908bab3c4c8be1c9948
SHA1 3ea93e1f4a59a6bcd35d8160fe48acbb38c05ede
SHA256 f96c9955e4f7adc63257a867ebc60d7216215fc3ca8b133fc59eac0ae42b3fdb
SHA512 09bd5f5262489d6b9d3f15ceffda2b531e83ddc0d47ee4d302f55614cc21e504a3dee0699d6fa286de18b52d115c9d49a92df4aa62bccee545d2fa11a8832b3d

memory/3004-20-0x0000000003670000-0x0000000003712000-memory.dmp

memory/3004-21-0x00000000038F0000-0x0000000003A0B000-memory.dmp

memory/1848-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1848-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1848-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1848-26-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1848-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3772-41-0x0000000003770000-0x0000000003809000-memory.dmp

memory/2832-44-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2832-45-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2832-48-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3592-51-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-52-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-53-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-57-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-58-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-59-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-60-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-61-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-62-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

memory/3592-63-0x000001CA37DE0000-0x000001CA37DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D97A.exe

MD5 9263197aa58e0e5bce76cce8f6323a9c
SHA1 06cf5f4f2c3b8a7cbf8064f15f4e6f988197470b
SHA256 ef798468db36b921f6c2830f5eb95c6e31b5e118f10a0aea9e944960cdf96a16
SHA512 cdf2f98ac3aa9efddb8908ce1101f429bb390617638d3fdd1ad698fa03727c183879d68a4a1ee8b15a12b1f7c840b8d6df1f6fb63a95ff2ce8d0e5a40bd77fab

memory/2580-68-0x00000000008A0000-0x00000000008F0000-memory.dmp

memory/2580-69-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/1744-72-0x0000000000400000-0x0000000000449000-memory.dmp

memory/1744-75-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2580-77-0x00000000751A0000-0x0000000075950000-memory.dmp

memory/2580-78-0x0000000002E70000-0x0000000004E70000-memory.dmp

memory/1744-79-0x00000000013A0000-0x00000000013D2000-memory.dmp

memory/1744-81-0x00000000013A0000-0x00000000013D2000-memory.dmp

memory/1744-80-0x00000000013A0000-0x00000000013D2000-memory.dmp

memory/1744-82-0x00000000013A0000-0x00000000013D2000-memory.dmp

memory/1744-83-0x0000000000400000-0x0000000000449000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\124E.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/4140-92-0x00000000015D0000-0x00000000015D1000-memory.dmp

memory/4140-93-0x00000000007D0000-0x000000000107F000-memory.dmp

memory/4140-94-0x00000000007D0000-0x000000000107F000-memory.dmp

memory/4140-97-0x00000000015E0000-0x00000000015E1000-memory.dmp

memory/4140-96-0x00000000015E0000-0x00000000015E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\223E.exe

MD5 36ec1d695debbe79b89bc646488a56f1
SHA1 ca67c404f7f2f79f1d09b1b4b82e457044ba434e
SHA256 14f09227c447c380b59dc42155e0e8a1cdddecc35ec6c29a7f05c0b4a0101c39
SHA512 b4ae53dabbe3bcd9a8a530e036cbf0693936811fb2edbd826d69777114915f5e9134365e6f0b7725090b7600666d0f1dcb303785c161a8f6ae0ac3971008c8e6

memory/2580-103-0x0000000002E70000-0x0000000004E70000-memory.dmp

memory/876-104-0x0000000003A10000-0x0000000003E0C000-memory.dmp

memory/876-105-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/876-106-0x0000000003F10000-0x00000000047FB000-memory.dmp

memory/4140-107-0x00000000007D0000-0x000000000107F000-memory.dmp

memory/380-108-0x0000000074960000-0x0000000075110000-memory.dmp

memory/380-109-0x0000000002E40000-0x0000000002E76000-memory.dmp

memory/380-110-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/380-111-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/380-112-0x0000000005D20000-0x0000000006348000-memory.dmp

memory/380-113-0x00000000056A0000-0x00000000056C2000-memory.dmp

memory/380-114-0x0000000005860000-0x00000000058C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lzfinwgy.cnl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/380-115-0x0000000005A50000-0x0000000005AB6000-memory.dmp

memory/380-125-0x0000000006350000-0x00000000066A4000-memory.dmp

memory/380-126-0x0000000006780000-0x000000000679E000-memory.dmp

memory/380-127-0x00000000067D0000-0x000000000681C000-memory.dmp

memory/380-128-0x0000000006D30000-0x0000000006D74000-memory.dmp

memory/380-129-0x00000000056E0000-0x00000000056F0000-memory.dmp

memory/380-130-0x00000000078D0000-0x0000000007946000-memory.dmp

memory/380-131-0x0000000007FD0000-0x000000000864A000-memory.dmp

memory/380-132-0x0000000007970000-0x000000000798A000-memory.dmp

memory/380-133-0x0000000007B30000-0x0000000007B62000-memory.dmp

memory/380-134-0x000000007F3C0000-0x000000007F3D0000-memory.dmp

memory/380-135-0x00000000751E0000-0x000000007522C000-memory.dmp

memory/380-136-0x0000000070CB0000-0x0000000071004000-memory.dmp

memory/380-146-0x0000000007B10000-0x0000000007B2E000-memory.dmp

memory/380-147-0x0000000007D70000-0x0000000007E13000-memory.dmp

memory/380-148-0x0000000007E60000-0x0000000007E6A000-memory.dmp

memory/380-149-0x0000000007F20000-0x0000000007FB6000-memory.dmp

memory/380-150-0x0000000007E80000-0x0000000007E91000-memory.dmp

memory/380-151-0x0000000007EC0000-0x0000000007ECE000-memory.dmp

memory/380-152-0x0000000007ED0000-0x0000000007EE4000-memory.dmp

memory/380-153-0x0000000008650000-0x000000000866A000-memory.dmp

memory/380-154-0x0000000007F00000-0x0000000007F08000-memory.dmp

memory/380-156-0x0000000074960000-0x0000000075110000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\223E.exe

MD5 435f7f4c2ae0a571e87ad16e1bfa40ca
SHA1 afc7d122eccd2d7e8f24bc4f112c9e63394d5fd9
SHA256 3ba02dee4a8dd896dbf3f96a349eb985c40e656c2b3c024ce9d0b1131d3e83d5
SHA512 8f4aa0d318e55020122b3e77ed2f05b1d49d52ed6aea95d54d9ef1ea6fab936561a43b0ad9ea8f4dabc3ea611828003a6aa76babd0fd74d5a61b161c469b0419

memory/876-159-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/236-160-0x00000000039E0000-0x0000000003DE3000-memory.dmp

memory/236-161-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\566E.exe

MD5 e7f70b105895c26348f294da022b2f4c
SHA1 3c6ae92936678283f7832af1672fadcb791a4b65
SHA256 fbc6d99493d49dd260116d48e9a6e01d33ab6716e460fd4b16dfecb2c7b8907f
SHA512 637dc2dc0347d11a1bafe66c0a7eaa64fd661c51f296bec52925502a24138caed7450b368738447779e7ca45d926325e078344a2021c3cdd1ca24654892d91df

C:\Users\Admin\AppData\Local\Temp\566E.exe

MD5 c00114cd21c605efb9f433a0a026d92d
SHA1 91266036843eb217edba0ab5728a1ea4e0577597
SHA256 1fc7c3d55e038721889650c9cdf34b34a302892586756d2f2e4d8b3b9d1ecc9f
SHA512 b98bd8ac8cd00cc574b61d96cebf0937796d880505567e63d11febaa1dcbceade0a725ab8051c5581a7922f7e37a71147e002c8e181fdc9da641e28ae6246a46

memory/1152-166-0x0000000074960000-0x0000000075110000-memory.dmp

memory/1152-167-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

memory/876-168-0x0000000003A10000-0x0000000003E0C000-memory.dmp

memory/1152-178-0x0000000005BB0000-0x0000000005F04000-memory.dmp

memory/1152-179-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

memory/1152-181-0x00000000751E0000-0x000000007522C000-memory.dmp

memory/1152-182-0x00000000711E0000-0x0000000071534000-memory.dmp

memory/1152-192-0x0000000007330000-0x00000000073D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\74F4.exe

MD5 d82368b2841957964ee318e819f2c72f
SHA1 433744fd3d02ec787ee4bf1ff0be7c27513e9faa
SHA256 f3aa50af194429085c751824c0826e2cd9a19d697bc2ef24e0c3c6d882cd876e
SHA512 9039aa57de3300c0a0344bec68373ec5ab624565728346183c56f420d24b0fe525effb9abccdfebac9544100558e13582adaea60bd384e941ddc4500daac9325

C:\Users\Admin\AppData\Local\Temp\74F4.exe

MD5 7187e773d67a78998b4ec28ea4ad5a7d
SHA1 b1c56517ef7c0ee2be140dc9e0a12586be41d42e
SHA256 c9fd37d414acf3b81e9b0e4bd3313349ca07a187c5cbbdbd8fa16c4b5f00c440
SHA512 7e43b59770204e51852ca75d492702af5deeb2f41bd04ddab95e1eda6d5ac498b531a0f87748db19dc838912c7972a666c58426800086bf7b4517b4832475830

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/236-206-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4364-207-0x00007FF623DF0000-0x00007FF624A52000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6e5197e83053bfdbfefbf575b33ad342
SHA1 4efb146972457381eb519337a043ef3eec67f331
SHA256 3273fb8023916231b005f00e5e4a07a2dcdeb3702969c46bc309a87bc4f2a20a
SHA512 1c43793449cab1ed68ae464b20e59f80f727a39899c3a9d9afd3d7b76a560c490097b687a8cfeeeb5122ccf36cef6521c400ebde51f4ca5ec1c7bc7e5628f41c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b31c2026205829baf7034c63bf3c1dd
SHA1 c12c68bc59fb5e8aea5d0d85f1976b33fe2878c9
SHA256 1b30281fef0a659697e57b34a411942a2cfa3f5c968370a740797a4737091240
SHA512 f0520366b96fd5fed2ab31f1f3ac4a32c6068a4e572f448f49897771d93d14c7e3da440d7bb963baf8bf5ba7c13f6fa484a64003d83ea57d1db8e97eb957698f

memory/236-251-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/236-270-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4364-272-0x00007FF623DF0000-0x00007FF624A52000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2d83dfe0d422b31d9c18411557692ad4
SHA1 b4c061dfd24093110240a6237c691257e4eac932
SHA256 3e2a9e05fb0363bf31f8f73b1242513aa5259ab909f7242e0003560b4c521d4e
SHA512 c010bddfede9284e508211e310a57c9a125423cab9ce65bbf4cf11a6cb60be2723230f66998614b92259b595636523797b3a3d00db0ba41f0b9f6046e615119c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e8ba664405a8c2e2ad407d671926faa8
SHA1 cf4eddc8281f363fb6a27a9985d7aef3a387e54c
SHA256 38ee0deac3c82a85d2591f476077b20ebb409c6a29d1b09cf1da786349a5f5d0
SHA512 f84e678466b52e5b589f201790010ae269553728fd8545aeaf4b22530d474fbd9bf0e2e57fec1845732a5aa44532ca31b5ebc917a8f1abd784169c5361d15a22

memory/4364-321-0x00007FF623DF0000-0x00007FF624A52000-memory.dmp

memory/4156-339-0x0000000000400000-0x0000000001E0D000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1c1ba60d59ccbf4bf9fc8ae998662680
SHA1 a0e7e1ea3c426375492c6d914b0bac55e26190d7
SHA256 17ca5127d09be58029f5f789350ed4e779674986f1e0884b658e6fe4fde64e8c
SHA512 124e06d27fb5d43446d424e405b2fe514a7ff517aa41e1a874b1fa32d1192762b5ba221f1a6e46b34fe2473594755c1bf89bb3e5a040caad6194b956379dc4a4

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/3068-386-0x0000000000400000-0x000000000046D000-memory.dmp

memory/3068-391-0x0000000000400000-0x000000000046D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

MD5 09031a062610d77d685c9934318b4170
SHA1 880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256 778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA512 9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27

memory/3068-402-0x0000000003AA0000-0x0000000003EA0000-memory.dmp

memory/3068-404-0x0000000003AA0000-0x0000000003EA0000-memory.dmp

memory/4364-403-0x00007FF623DF0000-0x00007FF624A52000-memory.dmp

memory/3068-406-0x00007FFA9BE50000-0x00007FFA9C045000-memory.dmp

memory/4156-405-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/3068-408-0x00000000778D0000-0x0000000077AE5000-memory.dmp

memory/1272-409-0x00000000001B0000-0x00000000001B9000-memory.dmp

memory/1272-411-0x0000000002040000-0x0000000002440000-memory.dmp

memory/1272-412-0x00007FFA9BE50000-0x00007FFA9C045000-memory.dmp

memory/1272-415-0x00000000778D0000-0x0000000077AE5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4916-426-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4364-427-0x00007FF623DF0000-0x00007FF624A52000-memory.dmp

memory/4156-428-0x0000000000400000-0x0000000001E0D000-memory.dmp

memory/4364-430-0x00007FF623DF0000-0x00007FF624A52000-memory.dmp