Malware Analysis Report

2024-11-30 05:03

Sample ID 240229-lztwrsdd4y
Target 117a962cde2568514649b76a004190f1.exe
SHA256 8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
Tags
amadey dcrat djvu glupteba smokeloader vidar 9b0f0dc6c2ca6ddeab1d498d4cdc7267 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0

Threat Level: Known bad

The file 117a962cde2568514649b76a004190f1.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat djvu glupteba smokeloader vidar 9b0f0dc6c2ca6ddeab1d498d4cdc7267 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma upx

Amadey

DcRat

Glupteba payload

SmokeLoader

Lumma Stealer

Windows security bypass

Glupteba

Djvu Ransomware

Detect Vidar Stealer

Vidar

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Installed Components in the registry

Modifies Windows Firewall

Modifies file permissions

Checks BIOS information in registry

UPX packed file

Checks computer location settings

Deletes itself

Executes dropped EXE

Identifies Wine through registry keys

Windows security modification

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies registry class

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-29 09:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-29 09:58

Reported

2024-02-29 10:01

Platform

win7-20240221-en

Max time kernel

107s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eac8bb84-4bc6-4e79-aa09-3d74104203c0\\9EAF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9EAF.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1DC3.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\684C.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\684C.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\684C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\684C.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1DC3.exe = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\eac8bb84-4bc6-4e79-aa09-3d74104203c0\\9EAF.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\9EAF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\684C.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\684C.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240229095948.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\atbwgij N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\atbwgij N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\atbwgij N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\atbwgij N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1DC3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\684C.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1200 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 1200 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 1200 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 1200 wrote to memory of 2736 N/A N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2736 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2580 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Windows\SysWOW64\icacls.exe
PID 2580 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Windows\SysWOW64\icacls.exe
PID 2580 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Windows\SysWOW64\icacls.exe
PID 2580 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Windows\SysWOW64\icacls.exe
PID 2580 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2580 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2580 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2580 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 2792 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\Temp\9EAF.exe
PID 1852 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1852 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1852 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1852 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1364 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe
PID 1852 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 1852 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 1852 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 1852 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\9EAF.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 2040 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe
PID 564 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe

"C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe"

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\eac8bb84-4bc6-4e79-aa09-3d74104203c0" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

"C:\Users\Admin\AppData\Local\Temp\9EAF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

"C:\Users\Admin\AppData\Local\Temp\9EAF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe

"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe"

C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe

"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe"

C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe

"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe"

C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe

"C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\492.exe

C:\Users\Admin\AppData\Local\Temp\492.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\1304.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 1436

C:\Users\Admin\AppData\Local\Temp\1DC3.exe

C:\Users\Admin\AppData\Local\Temp\1DC3.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240229095948.log C:\Windows\Logs\CBS\CbsPersist_20240229095948.cab

C:\Users\Admin\AppData\Local\Temp\3CD8.exe

C:\Users\Admin\AppData\Local\Temp\3CD8.exe

C:\Users\Admin\AppData\Local\Temp\1DC3.exe

"C:\Users\Admin\AppData\Local\Temp\1DC3.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C27D1A91-7763-4A41-B821-6DE1C680802C} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\atbwgij

C:\Users\Admin\AppData\Roaming\atbwgij

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\684C.exe

C:\Users\Admin\AppData\Local\Temp\684C.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x1c4

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
IR 151.233.51.166:80 brusuax.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
IR 151.233.51.166:80 brusuax.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 habrafa.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
PA 200.46.202.73:80 habrafa.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
PA 200.46.202.73:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
FI 65.109.242.251:443 65.109.242.251 tcp
FI 65.109.242.251:443 65.109.242.251 tcp
FI 65.109.242.251:443 65.109.242.251 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
FI 65.109.242.251:443 65.109.242.251 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 104.21.51.193:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 188.114.96.2:443 loftproper.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 185.215.113.45:80 185.215.113.45 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 b3262807-afd7-4093-93c4-0129ad055d24.uuid.filesdumpplace.org udp

Files

memory/2220-1-0x0000000001BE0000-0x0000000001CE0000-memory.dmp

memory/2220-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2220-3-0x0000000000400000-0x0000000001A2D000-memory.dmp

memory/1200-4-0x0000000002500000-0x0000000002516000-memory.dmp

memory/2220-5-0x0000000000400000-0x0000000001A2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9EAF.exe

MD5 ac282e0c3008238e949df7acf56bd7e7
SHA1 3f27bf2d71cb268636064ae950a2f14ea2df3433
SHA256 4f0fea97eaf9353a2ce670fa8f46a72d3937edf86a090941b2d15487b43254bf
SHA512 93609e746c9a806ab5fddf50c7df44d00d069ce585e0105d305d83848735db1d905c5b38ca3d273e33a3585a4e5a61a0e38def517fd67b8209bea6406e05bc01

memory/2736-17-0x00000000025D0000-0x0000000002661000-memory.dmp

memory/2736-18-0x00000000025D0000-0x0000000002661000-memory.dmp

memory/2736-19-0x0000000002670000-0x000000000278B000-memory.dmp

memory/2580-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2580-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2580-49-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabB1F2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6fc5d0241a33361f89c615734aa219d3
SHA1 a40df413e88183262124d9b0d925b0a416418330
SHA256 90021b58da6b5da26809bdfd0dd5a1f1b6293a893ec4cab97533fd9dd51d6a92
SHA512 fb2b09b3803d3df940d5c1f941ec228365932fbf8f4c421f3679fc74bbc99dd4fc7238f22936853dc2734b69ccc8134b7a461814c1f93ab70a2e1b339a2acb3b

C:\Users\Admin\AppData\Local\Temp\TarB214.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2792-73-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/2792-70-0x00000000002E0000-0x0000000000371000-memory.dmp

memory/1852-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1852-79-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarB47B.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a2002b54d5fe6c2ebe31fa91b13f7360
SHA1 998cdb8ce80164cd94f3054e26dd2ef046ea5114
SHA256 5369bd1618a4c6d3f7d054d53c79b2c55d16ce29417a693cd85da2a7bb75a884
SHA512 5cadf8c6fd1a10fd19df7eb40548390a52a4bf980202ad19fa2605978572e2a0dbac148e83a7224f218e4fd9b74da453d68a6531dc43aea82efe17446caefeb3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 99cf43afc01623efa3b9781714b546c5
SHA1 5be0a653c318b5f7d35f3783086e3c685d895f2a
SHA256 b6b539a56e82bc78fd4145eeece7122e0f106552960627a1f11dd04838a75729
SHA512 ad349279b52e5df07bad1ae1c2285af87bbdafd05dcde5648d55082719057f184b237a8adad37d20734eb26f0e0e0a19c48252ff54b7c1245b8b33ed2cd40236

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 cdd77ae5325d76e21f7e1fe60544f2fb
SHA1 fd646a12028c541897927848c33c86e752064581
SHA256 7cea23441f2fbd2e03e8f16a1b0a2b243964b806e3cd03683e0e92c2b49d9928
SHA512 1e486f631dfdde7b3dc0ede43c9cc1ea3c1993d68a45ab0a4b8ead0d6d79170fcb4171a95f16c5836da715b5375a239fa0bfd1be5e033c113145415007ecc727

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d5594999b3e7839c4d3ff505e244c61a
SHA1 6cebd58546c0c33cbdda73182f40b1d72b7d2fa2
SHA256 ba7cca389363e38131c3a86978d96c05c4de4c8e1554a0960436e7b31ca68797
SHA512 a3079a8d4610139134f08cecf984c6e091a3f4a52649992f9c1e3d25fcdaa35f059020315fc020d4de88b773c52852ff5a23e5f7307bf904d4b8061825ab839a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5dc1ca8f3e5cac876e38cbbfcf9a06e
SHA1 b00e65820cb59ae3b864b519a1323195a8420b26
SHA256 381c86e84e68c02ff2166159a31b6b7f7e92a184888faa851702dc9da06c14d6
SHA512 30e1e42f36fb65e4b2502c9cc387920c56fbd084d1866d301aa577f0d05f7d2ea5aa3846c79e797749639f182b80a47e71ac5eec77f3df5d39e8c1d5a25bd01a

memory/1852-140-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1852-141-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1852-145-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1852-147-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1852-148-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe

MD5 0aeafe1b6afa524ffe3dd410c6dc1c69
SHA1 3a77fc97517c528d3b325f30b9b75cb32b5dd71f
SHA256 b336240bcc57cbfb7de07464a0804ad8a229cf85654286c6c1ffa477f7cc3136
SHA512 d7a2444b9f7d1b410c5a14d8f6de74bb739b595152a9df5936f992722e2abcc26b312b00a79eee93b19a3e6a3266b89fa7df33ba07dfb04ec95ce1c080f63f1f

C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe

MD5 2b55c7eb9fb5007d1a71f7ad68dd32f3
SHA1 54b39a6b98926b011853ce183fc939516abf68bf
SHA256 2ede657c7fb4c831453285d260339393a10a345101b37dda28858ededc5671ee
SHA512 6199184f279977c184cf82483bc85e9de9c8c3cb35a95828529b715150928d05e1741d89d7fd043c0ec1941647af456cf658eb65fe3aafc58d19e81205dba541

memory/1364-164-0x0000000000290000-0x00000000002C4000-memory.dmp

memory/1364-163-0x00000000002E0000-0x00000000003E0000-memory.dmp

memory/1804-162-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1852-166-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1804-171-0x0000000000400000-0x0000000000647000-memory.dmp

memory/1804-182-0x0000000000400000-0x0000000000647000-memory.dmp

C:\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/564-186-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/564-188-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2040-190-0x00000000009C2000-0x00000000009D3000-memory.dmp

memory/2040-192-0x0000000000220000-0x0000000000224000-memory.dmp

memory/564-193-0x0000000000400000-0x0000000000406000-memory.dmp

memory/564-195-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9b4f8c00e95799dd26668a8166529946
SHA1 38645ede20a5dd3a68fe4c971de2918162c14499
SHA256 66d3b911ddbf05cc6e1f7ee8e30650cf9d89c9531459ca79561fc158f152dd01
SHA512 7597f67ab686110be6861b3e026b3a24eeefb50f4feb998ff180f2d334332f70e32e58ac090681289da0f556a71cc04feeca7de8983fd6cc093edb6faa317ef0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1b85a1df51617f1227522fb20ae3195
SHA1 d9214c842d07a7a1d7d3c8f04861553be9320b4b
SHA256 d7051a322d4dcb0bb032d40a7def1d99b44048516cd0be000bfd3cdbfacf4512
SHA512 48946e65df57c3cf069f16d369777563b6805d6b5b53ecdb6749f1052e38bf9fb34c5bbbbb9160c991f5c4447222dfb0d6907e5c3313145ca5968c9b319af782

C:\Users\Admin\AppData\Local\Temp\492.exe

MD5 a31c4d9ca7b9b490af9a2cb5e46fea5e
SHA1 be44090ac837f880229c28b0628225600d3cb70f
SHA256 1bce914bf6be2103d06d72c9b0668e9e604db11a6cd5df6c1bad41b743d8f23d
SHA512 63609aacd1812c5d8d9135fa8cdd7d26289a0b6ecaa7e405c4d7dab4e901fb5b6f7b9a1b5d3e275d7466a13e9df14d90c6d934c11baed895749ea712393655fc

C:\Users\Admin\AppData\Local\Temp\492.exe

MD5 d689d942a645a468007b85fdf9413de9
SHA1 c94e0a7ff515c05a73048f3c6d2dd0c95071c4b6
SHA256 82177bd7ae6c995aa53d63d21e5c53883af16f3b84832d5557fe3dfce3cf58cd
SHA512 525184773ae2e1642e05bee15b58457a995a3225f417a8b26580d306bd292ab880d9768187b6e5c144bf9d4eb3f95f2a2b82f7402eb11b3239740f5412f7608c

memory/3068-304-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3068-314-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3068-316-0x0000000000080000-0x0000000000081000-memory.dmp

memory/3068-317-0x0000000000C30000-0x0000000001521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1304.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

\Users\Admin\AppData\Local\68f41ecf-0d63-4a6a-9fd6-bb040a04cd34\build2.exe

MD5 8911b8fbcd0fd3905034a6e675f1df13
SHA1 afb96215b9f41a6ee996e4e34cbe5dba13dac587
SHA256 65b359f6ebb341d435219b8eb76b50ae1cf08a3d6396f42b5dca4bc617d0ebef
SHA512 58b0c6b723458f38f8d760f03bba93b746dd85f08590c427fb0e46bef6140b4ea5e696cd598ba21995514f6b0901ed14733a26abe04cb3efb051e97e0bd66608

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a712d1e7b208ec75790f7ae0e9973160
SHA1 bb63cfaf00bda9e3a9865861062d134923e5445a
SHA256 95edd9c3e7af744bdf492d1f585a0f10664de1ac74a067397c18b460265367fa
SHA512 81adf7e91c7e5b84ec4e03052e1bc77d069a81985938a29b0ddc4e7f097f5aeb27739cdc8063f176a8f306ad758348c0bda6ea630492cb661c6592874a99e709

C:\Users\Admin\AppData\Local\Temp\1DC3.exe

MD5 5cd729a81f8df732af6b2c09fd916f97
SHA1 3d3414d23871b631d86a333cf96c32b5b9ecc8b3
SHA256 23186a89509523382778522137057e76a4bb70d280e112b87bbcca198002fc51
SHA512 df67cf0a507774938e64d73286ed1071f5c79b0f02c22e9e0aa9322836b2aa5443321766143df7556710f1109a7ded9d7b80e4e8f74994f4b6eefa685db508b1

C:\Users\Admin\AppData\Local\Temp\1DC3.exe

MD5 705ebd77c44dead41c4ebaadcd2bf2e3
SHA1 07fc952dca37ad1797aa693294fab87cfc918bac
SHA256 749f93f653efb9f13f49857b4a79871e99e534795f264ef7633cd6312bd78141
SHA512 ed93b8f1238c83e12e422a0497df01c0e27c872278bec278759b16fb56b49f1f3ef03704adc3949bb647938d984bb5ada38625c095cd7bfdfabde8c73241724b

memory/1432-371-0x0000000004020000-0x0000000004418000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1DC3.exe

MD5 5c829441a341d8eed9d445081e889d52
SHA1 c281d3934466c592eca5f712b18f3e83fabcbbf6
SHA256 934b7cbd70c39bcdfaba46448139c74b5343e9663efc2c9f2dfb16893eca24f5
SHA512 ae061c786c0ba9e451c620dfcf30bf9fea566c722dca458dc24b1a686d60ae40900941b512ae92e407f7a33e64c6348bf9b2404b7a8c4964a5395bfb37c36d45

\Users\Admin\AppData\Local\Temp\3CD8.exe

MD5 21a466eb1827ebda177690e7a2abb02f
SHA1 193f97e2e014ee0e1cc299a9414033fe07938efa
SHA256 b28cb126a6c06709c383dbe8a8d1358671131cab5c94b1f65490bd6c64115317
SHA512 ff4683d9148ee1c360e906c74e28f0f35fc545fb6976ad45c9a9b848214b2c8a7bff4581418dbb1264d31bb62af301b280c8715c7378c2823c49d5a86c75a2f3

C:\Users\Admin\AppData\Local\Temp\3CD8.exe

MD5 667806f6f5a82c03b1b24395847c4fb9
SHA1 8f5a65f02cd7bf6f1f243fa755ba4d0277189242
SHA256 6da7593d439e67e3847cea55c7f53fa090616994fc62f2189b8bb024b0694ca7
SHA512 69f4438de8073d0934ae101fe3478f1700d82ee0e18ae00743fbaabecab74b161005a9a9a0ac6caa6f8c94fd3be9e33b77dc85bd61b80f83bfcc83e9897bf80f

memory/700-377-0x000000013F940000-0x00000001405A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1DC3.exe

MD5 e8b6adc564f16b5296dd0381cdacdd00
SHA1 2c422a97782ffbc01fa854615279ee5a86b954fd
SHA256 fbb0c4aca1a1e4379dbc39a7fc02f6d2f742938865a95dac4a363974523eee22
SHA512 9a2bd41a64d1fa95939fe5f5267561cbd66676ebb14d405e14307a668a34fa1a1a5c49b0aaf40023456578f1b26ddd995124ebd391225933bc7a90bbb834ab6a

memory/1432-379-0x0000000000400000-0x00000000026BE000-memory.dmp

memory/1432-380-0x0000000004020000-0x0000000004418000-memory.dmp

memory/1432-381-0x0000000004420000-0x0000000004D0B000-memory.dmp

memory/1632-383-0x0000000003FB0000-0x00000000043A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\atbwgij

MD5 117a962cde2568514649b76a004190f1
SHA1 e92ab6267e005eb78bac3c13b9de881b726bc7f2
SHA256 8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
SHA512 a2eb2cd551bea8eead2cc7cf17dd91849395c475f329e9bd47ff4ebab8aff0c9a1e33921e4fc6af9ca762b6c80c48056b8991f8813b7e19a7eca4dfb0914041d

C:\Users\Admin\AppData\Roaming\atbwgij

MD5 9d644d8a8bba44410a771ed01ea0faf3
SHA1 ab3da8560deeeffbb47adc26b35b3844943f6dc0
SHA256 ab905fe3625b31b46eac60cd0b26f1a5c16ac7231746a445245164320e3b1545
SHA512 e5264404843792ca53e8dd99513eaaec4884fdacb664ff6c7b254a67e2afcceeb65329f1ec1860d62acdb09f20496f888a8b996dee8333bd78292d16bcd966fa

C:\Windows\rss\csrss.exe

MD5 946845d21eaefa58a757859e7f4b9d58
SHA1 489a4a78b8c58ee37f8ee6959665b203a283e5c3
SHA256 8ac4235d2f161d6770ee354a8b00ba0de571ceff168042467f025e9b50b05616
SHA512 711d784c1c41b65de2baaaa0138c14c4fbaa7eaf94be8385201529d3bda05d01c23156739832ccea21ee8152527a9932a7013174e89ab745c0c1be478ae0f704

\Windows\rss\csrss.exe

MD5 6579312b2970bfd3b6059852ae2716c1
SHA1 c86b2d66a44dc5d1c2e5d8eb6c082cb458ace916
SHA256 96e14d6a37c3b6ac5418737e2b91e087908eab76817a41917161bfc38434c5d8
SHA512 db6854116859ea6c80a49574b3208b982e6db48aa376092893cdb124ba03d07967af50c98849ef3fdedbada02b5140b208a0fe17314e0d64838f3b13cdd45f7a

memory/1632-414-0x0000000000400000-0x00000000026BE000-memory.dmp

memory/1632-415-0x0000000003FB0000-0x00000000043A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\684C.exe

MD5 97171292fd1f59b0fa5b3ea5be92a2ae
SHA1 28b239a979e602ec968fd5fce7aac82a01c37308
SHA256 c406edd320595812e56cb3dcff082f9adeed60bcb21432b8dc09494bd6999dcd
SHA512 0422d1fd59635ff1eb0d0f43aae20bc9944c4ec0f2dad00f2ed196dcc90d0030d1b8ffa1cd7903218da519b77598e6467e8a30753f075a1b3bb6f16041df9b2e

C:\Users\Admin\AppData\Local\Temp\684C.exe

MD5 bba0531fe3059f01c86aac9293b32aeb
SHA1 59442b3a3550acac19829378e5630262e929c3e8
SHA256 ccd9f047538afd0c8e7b7ecdeb83c2cfbdffea220c45019f3600b268e7371b69
SHA512 c62bc4bca11fdbac0237232c7cc96b72328968fd75c520ae2a789595d7692f0464faf151308c125534c61facbd225547120000eea380cf9aaaa17e3d9eb9b730

memory/1936-416-0x0000000004100000-0x00000000044F8000-memory.dmp

memory/1568-422-0x0000000000030000-0x00000000004EB000-memory.dmp

memory/2144-425-0x00000000002B2000-0x00000000002C8000-memory.dmp

memory/2144-424-0x0000000000400000-0x0000000001A2D000-memory.dmp

memory/1200-423-0x0000000002EF0000-0x0000000002F06000-memory.dmp

memory/1200-431-0x00000000024D0000-0x00000000024D1000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5266071c933122f9c408e160ef434196
SHA1 44d7e5e29ee21132a7db908e756a43a685df4e08
SHA256 0f7e3454607dfb099f2c6b238d0d95d5c2208515c9c563d71d345507bca9201e
SHA512 ec098f12c18a3442e7e276cbaf0552f2e752b6935981e47b5227a8b895352357fb49ae1fa2ebd232d092a6afa5126455336574ece0761045ea72717a9553af5c

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-29 09:58

Reported

2024-02-29 10:01

Platform

win10v2004-20240226-en

Max time kernel

83s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\287cc41b-ea65-466b-b8cd-7c870b54ed2c\\BA47.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\BA47.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1B48.exe N/A

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1B48.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1B48.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BA47.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1B48.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\287cc41b-ea65-466b-b8cd-7c870b54ed2c\\BA47.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\BA47.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1B48.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1512 set thread context of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 set thread context of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\780.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\1B48.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{23FD917E-3764-4E7D-8212-616858C43430} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHost = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{7F5A79CB-A7F6-4D9F-AFD2-A4CEF82414E1} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-399997616-3400990511-967324271-1000\{6572974B-0D74-490C-924E-0D75CEE9C488} C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\780.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3460 wrote to memory of 1512 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3460 wrote to memory of 1512 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3460 wrote to memory of 1512 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 1512 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 4632 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Windows\SysWOW64\icacls.exe
PID 4632 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Windows\SysWOW64\icacls.exe
PID 4632 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Windows\SysWOW64\icacls.exe
PID 4632 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 4632 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 4632 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3660 wrote to memory of 3432 N/A C:\Users\Admin\AppData\Local\Temp\BA47.exe C:\Users\Admin\AppData\Local\Temp\BA47.exe
PID 3460 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBA7.exe
PID 3460 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBA7.exe
PID 3460 wrote to memory of 2144 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBA7.exe
PID 3460 wrote to memory of 4316 N/A N/A C:\Windows\system32\cmd.exe
PID 3460 wrote to memory of 4316 N/A N/A C:\Windows\system32\cmd.exe
PID 4316 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4316 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3460 wrote to memory of 3340 N/A N/A C:\Users\Admin\AppData\Local\Temp\780.exe
PID 3460 wrote to memory of 3340 N/A N/A C:\Users\Admin\AppData\Local\Temp\780.exe
PID 3460 wrote to memory of 3340 N/A N/A C:\Users\Admin\AppData\Local\Temp\780.exe
PID 3460 wrote to memory of 3816 N/A N/A C:\Users\Admin\AppData\Local\Temp\11E1.exe
PID 3460 wrote to memory of 3816 N/A N/A C:\Users\Admin\AppData\Local\Temp\11E1.exe
PID 3460 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B48.exe
PID 3460 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B48.exe
PID 3460 wrote to memory of 4356 N/A N/A C:\Users\Admin\AppData\Local\Temp\1B48.exe
PID 3340 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3340 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 376 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 376 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 376 wrote to memory of 4700 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 376 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\system32\cmd.exe
PID 376 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\780.exe C:\Windows\system32\cmd.exe
PID 4872 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4872 wrote to memory of 4136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe

"C:\Users\Admin\AppData\Local\Temp\117a962cde2568514649b76a004190f1.exe"

C:\Users\Admin\AppData\Local\Temp\BA47.exe

C:\Users\Admin\AppData\Local\Temp\BA47.exe

C:\Users\Admin\AppData\Local\Temp\BA47.exe

C:\Users\Admin\AppData\Local\Temp\BA47.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\287cc41b-ea65-466b-b8cd-7c870b54ed2c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\BA47.exe

"C:\Users\Admin\AppData\Local\Temp\BA47.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\BA47.exe

"C:\Users\Admin\AppData\Local\Temp\BA47.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 212 -p 3432 -ip 3432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 568

C:\Users\Admin\AppData\Local\Temp\FBA7.exe

C:\Users\Admin\AppData\Local\Temp\FBA7.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FF42.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\780.exe

C:\Users\Admin\AppData\Local\Temp\780.exe

C:\Users\Admin\AppData\Local\Temp\11E1.exe

C:\Users\Admin\AppData\Local\Temp\11E1.exe

C:\Users\Admin\AppData\Local\Temp\1B48.exe

C:\Users\Admin\AppData\Local\Temp\1B48.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4216 -ip 4216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 2580

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Users\Admin\AppData\Local\Temp\780.exe

"C:\Users\Admin\AppData\Local\Temp\780.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Users\Admin\AppData\Roaming\assivww

C:\Users\Admin\AppData\Roaming\assivww

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

explorer.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\explorer.exe

explorer.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
IR 151.233.51.166:80 brusuax.com tcp
US 8.8.8.8:53 166.51.233.151.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 94.193.125.74.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 188.114.96.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 104.21.11.77:443 loftproper.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 62.192.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 45.113.215.185.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 188.114.96.2:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 27f85bb2-f0db-470d-b95f-5bb274a11037.uuid.filesdumpplace.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server10.filesdumpplace.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server10.filesdumpplace.org tcp
NL 74.125.128.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server10.filesdumpplace.org tcp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/1544-1-0x0000000001A90000-0x0000000001B90000-memory.dmp

memory/1544-2-0x0000000000400000-0x0000000001A2D000-memory.dmp

memory/1544-3-0x0000000003630000-0x000000000363B000-memory.dmp

memory/3460-4-0x00000000030C0000-0x00000000030D6000-memory.dmp

memory/1544-5-0x0000000000400000-0x0000000001A2D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA47.exe

MD5 ac282e0c3008238e949df7acf56bd7e7
SHA1 3f27bf2d71cb268636064ae950a2f14ea2df3433
SHA256 4f0fea97eaf9353a2ce670fa8f46a72d3937edf86a090941b2d15487b43254bf
SHA512 93609e746c9a806ab5fddf50c7df44d00d069ce585e0105d305d83848735db1d905c5b38ca3d273e33a3585a4e5a61a0e38def517fd67b8209bea6406e05bc01

memory/1512-16-0x0000000004030000-0x00000000040CA000-memory.dmp

memory/1512-20-0x00000000041B0000-0x00000000042CB000-memory.dmp

memory/4632-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4632-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4632-17-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4632-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4632-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3660-35-0x0000000004080000-0x000000000411F000-memory.dmp

memory/3432-38-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3432-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3432-41-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBA7.exe

MD5 d689d942a645a468007b85fdf9413de9
SHA1 c94e0a7ff515c05a73048f3c6d2dd0c95071c4b6
SHA256 82177bd7ae6c995aa53d63d21e5c53883af16f3b84832d5557fe3dfce3cf58cd
SHA512 525184773ae2e1642e05bee15b58457a995a3225f417a8b26580d306bd292ab880d9768187b6e5c144bf9d4eb3f95f2a2b82f7402eb11b3239740f5412f7608c

memory/2144-49-0x0000000000300000-0x0000000000BF1000-memory.dmp

memory/2144-48-0x0000000001150000-0x0000000001151000-memory.dmp

memory/2144-51-0x0000000000300000-0x0000000000BF1000-memory.dmp

memory/2144-53-0x0000000001160000-0x0000000001161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF42.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\780.exe

MD5 5c829441a341d8eed9d445081e889d52
SHA1 c281d3934466c592eca5f712b18f3e83fabcbbf6
SHA256 934b7cbd70c39bcdfaba46448139c74b5343e9663efc2c9f2dfb16893eca24f5
SHA512 ae061c786c0ba9e451c620dfcf30bf9fea566c722dca458dc24b1a686d60ae40900941b512ae92e407f7a33e64c6348bf9b2404b7a8c4964a5395bfb37c36d45

memory/3340-63-0x0000000004410000-0x000000000480D000-memory.dmp

memory/3340-65-0x0000000004810000-0x00000000050FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11E1.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/3340-69-0x0000000000400000-0x00000000026BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B48.exe

MD5 298d8cc160bfd0ed0d3e042749a2de4b
SHA1 2330020ba055181737313b7a13d4cddce4c34dc7
SHA256 6184d6f6747333a500fe51e1f6006f1beecd76f5764b03452b73c9c5560f474c
SHA512 03903cd5ecae7bc2c7d1e75733d8012a0d0719dd113aadec55aa18f1cbb4cdb84637491e6b23c7f718312d3d21b536f90226d57faeaa286ec4102c0ca7c33d22

memory/4356-74-0x0000000000280000-0x0000000000723000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1B48.exe

MD5 765a166abf8a52482a531f4c5b85cd98
SHA1 2d8cf7ce37802f11c6f740251ed9ba08a4863bb7
SHA256 30ada755dc23f03935169bd9e70420ef532d9d49d18598bfa1f34e2743d75d95
SHA512 2f9fd2ad657245d14be6438ed86475cdb9e34a68a609c2f6785ef26ffc7b500140e9fde417cc85c006da9b44b69d3f79a79bfa38daa45309e866a3f268910101

memory/4356-75-0x0000000077AD4000-0x0000000077AD6000-memory.dmp

memory/4356-76-0x0000000000280000-0x0000000000723000-memory.dmp

memory/4356-77-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/4356-79-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/4356-78-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/4356-80-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/4356-81-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/4356-82-0x0000000004C20000-0x0000000004C21000-memory.dmp

memory/4356-83-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/2144-84-0x0000000000300000-0x0000000000BF1000-memory.dmp

memory/4216-85-0x0000000002900000-0x0000000002936000-memory.dmp

memory/4216-86-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/4216-87-0x0000000005090000-0x00000000056B8000-memory.dmp

memory/4216-88-0x0000000002540000-0x0000000002550000-memory.dmp

memory/4216-89-0x0000000002540000-0x0000000002550000-memory.dmp

memory/4356-90-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/4216-91-0x0000000004DF0000-0x0000000004E12000-memory.dmp

memory/4356-93-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/4216-94-0x0000000005830000-0x0000000005896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2yjusrso.wy2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4216-104-0x00000000059A0000-0x0000000005A06000-memory.dmp

memory/4216-105-0x0000000005A10000-0x0000000005D64000-memory.dmp

memory/4216-106-0x0000000005EC0000-0x0000000005EDE000-memory.dmp

memory/4216-107-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

memory/3460-111-0x00000000011F0000-0x00000000011F1000-memory.dmp

memory/4216-112-0x0000000006410000-0x0000000006454000-memory.dmp

memory/4216-113-0x00000000071D0000-0x0000000007246000-memory.dmp

memory/4216-114-0x00000000078D0000-0x0000000007F4A000-memory.dmp

memory/4216-115-0x0000000007270000-0x000000000728A000-memory.dmp

memory/4216-117-0x0000000007410000-0x0000000007442000-memory.dmp

memory/4216-118-0x00000000701C0000-0x000000007020C000-memory.dmp

memory/4216-119-0x0000000070340000-0x0000000070694000-memory.dmp

memory/3340-116-0x0000000000400000-0x00000000026BE000-memory.dmp

memory/4216-130-0x0000000007450000-0x000000000746E000-memory.dmp

memory/3816-129-0x00007FF756940000-0x00007FF7575A2000-memory.dmp

memory/4356-131-0x0000000000280000-0x0000000000723000-memory.dmp

memory/4216-133-0x000000007F3E0000-0x000000007F3F0000-memory.dmp

memory/4216-132-0x0000000007470000-0x0000000007513000-memory.dmp

memory/4216-134-0x0000000007560000-0x000000000756A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 eb36bc1f608b4510cf76240c646882f4
SHA1 6addaadbd8cb3fcc141dab842d9fb63ec2cccb3e
SHA256 cbf04bfdd70e53f9209950aa1dcea96267e96c27359756c06255594a631d6f34
SHA512 1f227ac293a439a14ee0df1cde97572233b3ec2e3fdf5e81fbd73f22b0a57ed001406067eafc44b0075d88430b515e3c971df73d6ff814a8a1c6f0df2892ba9f

memory/4356-139-0x0000000000280000-0x0000000000723000-memory.dmp

memory/4216-140-0x0000000074340000-0x0000000074AF0000-memory.dmp

memory/3340-142-0x0000000000400000-0x00000000026BE000-memory.dmp

memory/3340-143-0x0000000004810000-0x00000000050FB000-memory.dmp

memory/3816-144-0x00007FF756940000-0x00007FF7575A2000-memory.dmp

memory/376-146-0x0000000004660000-0x0000000004A61000-memory.dmp

memory/376-147-0x0000000000400000-0x00000000026BE000-memory.dmp

memory/4700-148-0x0000000074790000-0x0000000074F40000-memory.dmp

memory/4700-150-0x0000000000C90000-0x0000000000CA0000-memory.dmp

memory/4700-149-0x0000000000C90000-0x0000000000CA0000-memory.dmp

memory/4700-151-0x0000000005450000-0x00000000057A4000-memory.dmp

memory/4700-161-0x0000000005B40000-0x0000000005B8C000-memory.dmp

memory/4700-163-0x00000000706A0000-0x00000000706EC000-memory.dmp

memory/4700-164-0x000000007F3F0000-0x000000007F400000-memory.dmp

memory/4700-165-0x0000000070E30000-0x0000000071184000-memory.dmp

memory/4700-175-0x0000000006D70000-0x0000000006E13000-memory.dmp

C:\Users\Admin\AppData\Roaming\assivww

MD5 117a962cde2568514649b76a004190f1
SHA1 e92ab6267e005eb78bac3c13b9de881b726bc7f2
SHA256 8dec86d0a0c4034b6d688a0610742694517e0d31939c53db11b898c0ba7315c0
SHA512 a2eb2cd551bea8eead2cc7cf17dd91849395c475f329e9bd47ff4ebab8aff0c9a1e33921e4fc6af9ca762b6c80c48056b8991f8813b7e19a7eca4dfb0914041d

memory/4700-178-0x00000000070A0000-0x0000000007136000-memory.dmp

memory/4700-179-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

memory/4700-180-0x0000000007000000-0x000000000700E000-memory.dmp

memory/4568-183-0x0000000005130000-0x0000000005131000-memory.dmp

memory/5036-191-0x000001123D5A0000-0x000001123D5C0000-memory.dmp

memory/5036-193-0x000001123D560000-0x000001123D580000-memory.dmp

memory/5036-198-0x000001123DB80000-0x000001123DBA0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3816-208-0x00007FF756940000-0x00007FF7575A2000-memory.dmp

memory/376-209-0x0000000000400000-0x00000000026BE000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a91a7e5241dbadd09db530d2ac64124e
SHA1 08bde701c20357c3fe26365e0e80f68564eb23d0
SHA256 ddb3c9698f3059acd67ac5de3aab01de40384898fabb7295a73d6bc19e9f29a0
SHA512 ab13b7fdcc411f88c651b2b4cee07aaaa5ba7d06a582c235def0c01865f7bb978db9757720c940832c4e975ab052579008ca40972f1821d8298c16dbe27fb0b2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c7381526868fac29590372dfab67d61c
SHA1 57abe9ecdfd6e941c267232b20627a0d9246c888
SHA256 ddc6faf5ba1dfe4f0d51038c76d08ea8496f1b99b0824264554380714583c7f4
SHA512 4794733f4f3a3cae8a0d5735ec22a4ccd3effebbffc6b2b87783310ee4f3a86fda7ee8d1987c6b7b7a6c5d945123076b1c3a5941c567440549474f5853c46784

memory/1464-260-0x0000000000400000-0x0000000001A2D000-memory.dmp

memory/2628-274-0x0000000007310000-0x0000000007326000-memory.dmp

memory/1464-277-0x0000000000400000-0x0000000001A2D000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 5266071c933122f9c408e160ef434196
SHA1 44d7e5e29ee21132a7db908e756a43a685df4e08
SHA256 0f7e3454607dfb099f2c6b238d0d95d5c2208515c9c563d71d345507bca9201e
SHA512 ec098f12c18a3442e7e276cbaf0552f2e752b6935981e47b5227a8b895352357fb49ae1fa2ebd232d092a6afa5126455336574ece0761045ea72717a9553af5c

C:\Windows\rss\csrss.exe

MD5 f8cae0b7609a2384818e45668424c685
SHA1 8721034e86cb2a0bdde2610653e1def6aa8462fc
SHA256 b5b35da51f309e5bb9f75ca8a4c73e32fbc8053c94a86b05f2498fbb9ea35f69
SHA512 b98e8e009a2606ae4cd16e534c9d3e953a6110167bc1dd676b642b55c78a0df638a0b0276ea04de4e81c64775f648ea3b1a3973094f12359e60a03f2d4a109a2

memory/3816-286-0x00007FF756940000-0x00007FF7575A2000-memory.dmp

memory/376-287-0x0000000000400000-0x00000000026BE000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2dfa98e40494d5f827d3f9dd2b41461
SHA1 815f2936d03979bb2ba2250e23e9049b3870de55
SHA256 3166035333f1db38c2b52b38bf2434c546ed0ad8f40239f5ccf1b0a7852ba160
SHA512 fc8819578fd3e79237c0eb934784d861668f6d8fb0534e7cb941fe621a05e3739f0503e3e49ade56cffe6a3b8aa4c3f1ba69a9c2dfe291ee2ed0c6000a935323

memory/3816-305-0x00007FF756940000-0x00007FF7575A2000-memory.dmp

memory/4460-307-0x0000000000400000-0x00000000026BE000-memory.dmp

memory/4460-324-0x0000000000400000-0x00000000026BE000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cdf8970c475e288aec437f87deda7762
SHA1 d4d4a68db422c260d42bdffd4a85d2641b710816
SHA256 b177a4467b96d2c0d863172f20ccf9131e842336d3be938e227e266df8ba37ea
SHA512 ac6fca49291e3c10ef171e5873d58d1e89512f906a1b4d6afb0bf08e11689d54079362076a2b8f28c61e2de993bcd85c5ea0a0a120d5cf5a0056497c4ece4ed2

memory/3816-339-0x00007FF756940000-0x00007FF7575A2000-memory.dmp

memory/2572-354-0x00000000014D0000-0x00000000014D1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\39XIXV5T\microsoft.windows[1].xml

MD5 29e3c94dfa03b794f03e17d8b45295d9
SHA1 1a598a72d3d486f77e861f98abcd2f4a8e936365
SHA256 7ff0263086f28cc1d842d07a23128b955780d3c8b85b130228c7f65ce2b4262a
SHA512 e2180d73f45da32ac4fb355546103496d73cdf7cb966c60f6a414bc7052e46431177e9009bdfd730d2fe6955b986392720fe3bdc8afbc0388f1b70e438a4ef9c

memory/5044-363-0x000002DFECDF0000-0x000002DFECE10000-memory.dmp

memory/5044-365-0x000002DFED170000-0x000002DFED190000-memory.dmp

memory/5044-369-0x000002DFED1B0000-0x000002DFED1D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7c69de714c3ce5eb0cc5c734a0edb651
SHA1 7405dc8a85bf83aca0ce82aa58757d91593d5980
SHA256 584525e4f51f5d6bff866e4384dd4bacf8821862ef610cee261bc12cb020b599
SHA512 53651776f8145e5942f7c52e36d005bee2364712d2a94b8cba143835390227cee7bc033204b244af2d6a788fdf132a585de8e5f26a24a55750110db869d9729d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4300-416-0x0000000003F10000-0x0000000003F11000-memory.dmp

memory/544-424-0x00000204945B0000-0x00000204945D0000-memory.dmp

memory/544-426-0x0000020494570000-0x0000020494590000-memory.dmp

memory/544-429-0x0000020494980000-0x00000204949A0000-memory.dmp

memory/4460-435-0x0000000000400000-0x00000000026BE000-memory.dmp

memory/3816-436-0x00007FF756940000-0x00007FF7575A2000-memory.dmp

memory/1760-440-0x0000000004400000-0x0000000004401000-memory.dmp

memory/3468-448-0x000001D67D000000-0x000001D67D020000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec