Malware Analysis Report

2025-01-02 11:12

Sample ID 240307-cmd54sdb92
Target 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe
SHA256 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee
Tags
dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma zgrat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee

Threat Level: Known bad

The file 29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma zgrat upx

Detected Djvu ransomware

Detect Vidar Stealer

Glupteba

Vidar

Glupteba payload

DcRat

ZGRat

Detect ZGRat V1

Lumma Stealer

Windows security bypass

SmokeLoader

Djvu Ransomware

Detects Windows executables referencing non-Windows User-Agents

Detects executables Discord URL observed in first stage droppers

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables containing artifacts associated with disabling Widnows Defender

UPX dump on OEP (original entry point)

Detects executables containing URLs to raw contents of a Github gist

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

Windows security modification

Modifies file permissions

Loads dropped DLL

Deletes itself

Checks computer location settings

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 02:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 02:11

Reported

2024-03-07 02:13

Platform

win7-20240221-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1dc47973-616c-4132-9f33-e06c036b7720\\F4EA.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F4EA.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9001.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9001.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1dc47973-616c-4132-9f33-e06c036b7720\\F4EA.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\F4EA.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240307021259.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9001.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\9001.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9001.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 1228 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 1228 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 1228 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2536 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2416 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Windows\SysWOW64\icacls.exe
PID 2416 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Windows\SysWOW64\icacls.exe
PID 2416 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Windows\SysWOW64\icacls.exe
PID 2416 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Windows\SysWOW64\icacls.exe
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2416 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 2728 wrote to memory of 624 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\Temp\F4EA.exe
PID 624 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 624 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 624 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 624 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1728 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe
PID 1228 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D18.exe
PID 1228 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D18.exe
PID 1228 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D18.exe
PID 1228 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\4D18.exe
PID 1228 wrote to memory of 2908 N/A N/A C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 2908 N/A N/A C:\Windows\system32\cmd.exe
PID 1228 wrote to memory of 2908 N/A N/A C:\Windows\system32\cmd.exe
PID 2908 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2908 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2908 wrote to memory of 1796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2100 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2100 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2100 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2100 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 624 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\F4EA.exe C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

C:\Users\Admin\AppData\Local\Temp\F4EA.exe

C:\Users\Admin\AppData\Local\Temp\F4EA.exe

C:\Users\Admin\AppData\Local\Temp\F4EA.exe

C:\Users\Admin\AppData\Local\Temp\F4EA.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1dc47973-616c-4132-9f33-e06c036b7720" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\F4EA.exe

"C:\Users\Admin\AppData\Local\Temp\F4EA.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\F4EA.exe

"C:\Users\Admin\AppData\Local\Temp\F4EA.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe

"C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe"

C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe

"C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe"

C:\Users\Admin\AppData\Local\Temp\4D18.exe

C:\Users\Admin\AppData\Local\Temp\4D18.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\568B.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 1460

C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build3.exe

"C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build3.exe"

C:\Users\Admin\AppData\Local\Temp\9001.exe

C:\Users\Admin\AppData\Local\Temp\9001.exe

C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build3.exe

"C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\C61F.exe

C:\Users\Admin\AppData\Local\Temp\C61F.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240307021259.log C:\Windows\Logs\CBS\CbsPersist_20240307021259.cab

C:\Windows\system32\taskeng.exe

taskeng.exe {5347E5D7-FCDD-4E97-8FF3-B103909D0D68} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\9001.exe

"C:\Users\Admin\AppData\Local\Temp\9001.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /D /T

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 211.171.233.129:80 sdfjhuz.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 172.67.139.220:443 api.2ip.ua tcp
KR 211.171.233.129:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
KR 211.171.233.129:80 sajdfue.com tcp
KR 211.171.233.129:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dildefotokopi.com udp
TR 185.195.254.134:443 dildefotokopi.com tcp
TR 185.195.254.134:443 dildefotokopi.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 6a27f9fe-3997-4a62-a52c-53b4a79cf3a6.uuid.realupdate.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

memory/1708-1-0x0000000001FC0000-0x00000000020C0000-memory.dmp

memory/1708-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1708-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/1228-4-0x0000000002AA0000-0x0000000002AB6000-memory.dmp

memory/1708-5-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F4EA.exe

MD5 b4496d2224777403415440dfe5f13a86
SHA1 5c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256 d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA512 0bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158

memory/2536-17-0x0000000003720000-0x00000000037B2000-memory.dmp

memory/2536-18-0x0000000003720000-0x00000000037B2000-memory.dmp

memory/2536-21-0x00000000037C0000-0x00000000038DB000-memory.dmp

memory/2416-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2416-24-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2416-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2416-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2416-51-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2728-53-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2728-54-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/624-61-0x0000000000400000-0x0000000000537000-memory.dmp

memory/624-62-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 e6c9e8018274f296078015b6fab48469
SHA1 a4a72cb5ca0ac2370645e60aef9e2b7bb73aac85
SHA256 44f66139bef87c89c254caf009e526f85b9dfca97ba33370917b1dcc23f6fa5a
SHA512 013fa0b2b267220565c0a8ac7e7a7fa321f37558dbe6fedf5439d6b2e127c6bfebd2e57c1774223b67ae79cc3af1d8a7dd28b0f73c36136b5b0987be7eba4247

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 285f2d7ac11b816c0b93dddd72f3f074
SHA1 70bfc113e962459afabde81294847754bf7ae540
SHA256 fa170ab755d01dd13745aa6c2bbc19a90b57ff0abf67574147a2389e97899939
SHA512 5c0148dd35a8a626d003269910b7ca283bd3619d658f968d04b268674f188e6f00ba5f26dc1f59847e02929770d70075546027fc5e1e2cff85ffb93c71b7797e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4644e194a69276e8f8186cb3236b796
SHA1 ac6a4aaca0289d9b5c984ab91267a6b0fc6b3042
SHA256 d35bf6136dcb64e1a1ed569e0f6664857c9967607d931bbebec60eacb2b0ed91
SHA512 a9c17353a27eaf63d014d126527d7fb9821c5859fd4bed276b2d7941ce5035f5362f03685df1d2402a9253e8c00056e6d4a2c7169a3f4adac5728a2baf7ba611

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 cef03983b8c689553225c417a24acfb0
SHA1 24d0c3f705d3403a916259ac38b7e1b5ec1215cb
SHA256 f09737bcdfa8b7a581ea128c5b41a840a8820fc240ec62d9ffbc6f93ca42fd07
SHA512 fbb3a3ff7688ed15246c67df2e563b0b38908ffe553a4756c5810f6cf729010221d09f27231e1c21c4395f8c3d1ba780701888400c722354a900e934abd188dd

C:\Users\Admin\AppData\Local\Temp\Cab1A92.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/624-77-0x0000000000400000-0x0000000000537000-memory.dmp

memory/624-78-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build2.exe

MD5 d37b17fc3b9162060a60cd9c9f5f7e2c
SHA1 5bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA256 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA512 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

memory/2100-92-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1728-94-0x0000000002030000-0x0000000002130000-memory.dmp

memory/1728-95-0x0000000000230000-0x0000000000262000-memory.dmp

memory/2100-96-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2100-99-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2100-100-0x0000000000400000-0x0000000000645000-memory.dmp

memory/624-104-0x0000000000400000-0x0000000000537000-memory.dmp

memory/624-106-0x0000000000400000-0x0000000000537000-memory.dmp

memory/624-107-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar400D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar4245.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/624-159-0x0000000000400000-0x0000000000537000-memory.dmp

memory/624-181-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4D18.exe

MD5 74cf066c5c492eb825b36550b1e38326
SHA1 8f211213fbd6905b5e44bf2af07e481832198a7f
SHA256 24201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA512 24ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91

memory/1704-247-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1704-249-0x0000000000A40000-0x0000000001633000-memory.dmp

memory/1704-250-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1704-252-0x0000000000A40000-0x0000000001633000-memory.dmp

memory/1704-254-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1704-256-0x00000000775F0000-0x00000000775F1000-memory.dmp

memory/1704-255-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1704-258-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1704-261-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1704-260-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1704-263-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1704-265-0x0000000000150000-0x0000000000151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\568B.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1704-276-0x0000000000160000-0x0000000000161000-memory.dmp

memory/1704-279-0x0000000000160000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6b5ae70e3c46567bf52724c44b03e70
SHA1 f5cb0c4e1e170dff69399b64f6e270d2eca98cfb
SHA256 ea876312d89c8c495b325c1409ac727ba6949fe04e9be3c1a38842e31226439b
SHA512 4e01ef52b0cc763634d203837440fbc3a847ec8f9a28d7f1fa8e8897c6a56b11953aac04fdcacd4d99911cab2879a035cd84e3dd1c8cdeebb08c1cec51a7a363

\Users\Admin\AppData\Local\33295de1-071e-4b55-92e1-f97ce76c95f6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2100-315-0x0000000000400000-0x0000000000645000-memory.dmp

memory/624-314-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 516d54ac917ab01e3624997f809a08c5
SHA1 b58948b318f260787072a21e2a242657fb52ae83
SHA256 cb05455bc0470da7030f4c4225bcdf9e9be82225cb96a9855e1f9b1a4ace34df
SHA512 c9b51c9f5c557eaf81a4df16d3235a44246f84b81b916ceb665d3e142aad6c3162ea953777a55126f0714f418674ba090eb3918c3e30f38677c71bed29d9a847

C:\Users\Admin\AppData\Local\Temp\9001.exe

MD5 769c5abb47277b60627d09c97506b9f0
SHA1 1a9da6ca44945852f416852acdd93aa140c6d884
SHA256 6011423d24abd6ce8c2b360ad1cc7e2a290f145a4b4ff0c9b73f539f8d9036ee
SHA512 4786afdfed7214ad9309e6e2a00b68218e1597d063277f1222112ac3bd76ffda92917ea9e948e33267ccc9da3a134a1bdba7685ff49182cc31c8372bc92f585b

C:\Users\Admin\AppData\Local\Temp\9001.exe

MD5 1047d7617f162d488920965b0a8b876c
SHA1 059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA256 58b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512 698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac

memory/2860-370-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2724-375-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2860-374-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2724-373-0x0000000000930000-0x0000000000A30000-memory.dmp

memory/2860-378-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2860-380-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2812-383-0x0000000003D90000-0x0000000004188000-memory.dmp

memory/2812-384-0x0000000003D90000-0x0000000004188000-memory.dmp

memory/2812-385-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2812-386-0x0000000004190000-0x0000000004A7B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9001.exe

MD5 1a8d6df33421f574903e7207c226cbcb
SHA1 179d1a4eb4901cd5f8fb8f8a4c4dc1a6f5e1331f
SHA256 982799aae2affef426ff5fe70201ffc1ad89bfe7d912fe3f2f9a800110c1f53f
SHA512 4f3cf03fed356a61742cfea28750403d4617be081c690ec7d8bb949a416a04c814717a68dcae65505975ecb02c403a25425a6302df5b585b3ad96c157e25716d

\Users\Admin\AppData\Local\Temp\C61F.exe

MD5 e3f3301ccc21a6543ebab0c8bc83790f
SHA1 aaa845e75c795d01fbdd29ea3292147ee82597f0
SHA256 3b43045a9cdc9384c98e2f9757bc968bbce22e88d675d8095ad7c7d66159857b
SHA512 5e83296c0235c21d834767b949411325bf728776aeff49088491e0a8e2c738078fc79bdaeacb395a4147bfb4e18e78e2fc4e16f022a2a3e9390d2b79737a6e39

C:\Users\Admin\AppData\Local\Temp\C61F.exe

MD5 c00114cd21c605efb9f433a0a026d92d
SHA1 91266036843eb217edba0ab5728a1ea4e0577597
SHA256 1fc7c3d55e038721889650c9cdf34b34a302892586756d2f2e4d8b3b9d1ecc9f
SHA512 b98bd8ac8cd00cc574b61d96cebf0937796d880505567e63d11febaa1dcbceade0a725ab8051c5581a7922f7e37a71147e002c8e181fdc9da641e28ae6246a46

memory/2944-392-0x000000013F340000-0x000000013FFA2000-memory.dmp

memory/3044-413-0x0000000000270000-0x0000000000370000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9001.exe

MD5 bb197f6eb72e40010025d12ac608ddea
SHA1 4868b3b545c5caf616af500b6ec529670b0ad24e
SHA256 1cd1197d6b185a20815b956ccd8823365337b3bdd4cb31c2d98b15cf5d85b42d
SHA512 ced47870f023791544a0307cbf1389dcb70beee247e37c3ee6b41b31a52b872d3118953f79df688fb6bbb5622d99a31a42308e2ef3f82a2cfc34cbe4c64092ff

memory/2812-422-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2812-423-0x0000000003D90000-0x0000000004188000-memory.dmp

memory/2268-426-0x0000000003E30000-0x0000000004228000-memory.dmp

memory/2268-427-0x0000000000400000-0x00000000022EF000-memory.dmp

\Windows\rss\csrss.exe

MD5 1ed73731105dbbc2701317221c1a9f64
SHA1 f4cad25d877bbba545db0f6719492f87859266fa
SHA256 ad0a61a31e4d3f7c61e3710394a7f9515761d56d1ac3300881510fce978814f2
SHA512 69a44d44444a52ef08d70ebbf5a3a1cf5bd3da0c6253ba9d57cce00adba08fed9baafeb0146737fedee5989d7f191da422be6e3a169ca87b2645c8cdd7ec94b0

C:\Windows\rss\csrss.exe

MD5 34a7cb4c993468cfd20d9481439d4bd0
SHA1 533e942865e2fa12d72b28393e6fe58cf5b0175b
SHA256 09ff5d0261cf1fd53a42a1f2601ff82c828a683b9c2925f8a8256ada68645950
SHA512 c9eb82fe7fb02e43336efa861cda687c8e4ef3cfae27065d614bed0525317b6a8026878065afc6d8d7343bcd294305a7ca7d611887b6e41a3ea1fa2994eb2de1

memory/2268-444-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2660-447-0x0000000003E00000-0x00000000041F8000-memory.dmp

memory/2660-448-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/328-465-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/328-478-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57733d2304b03d309905696773ff54ca
SHA1 d6a1e4ecb8de85c95f955da26a5eb4f872b710fa
SHA256 3550dd6d5b1bd68f319dbb8d161c83cbe375f56fbbcd45a60da82cdeb79ab327
SHA512 6b41140f933e2cbc091ca19864474839865261a4b26f39ce9712b12df26d21bbe87b4d4ac2f8f6bf46b60fc1ecd4f6f4d1e471037da76b5f2bbe8875239e62a1

memory/2660-497-0x0000000000400000-0x00000000022EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-07 02:11

Reported

2024-03-07 02:13

Platform

win10v2004-20240226-en

Max time kernel

119s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7df1bef0-3408-4ac0-ae86-00253b231c8e\\C0C0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C0C0.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\C0C0.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7df1bef0-3408-4ac0-ae86-00253b231c8e\\C0C0.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\C0C0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3092 set thread context of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 set thread context of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\973D.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\973D.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\973D.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3464 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3464 wrote to memory of 3092 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3092 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 500 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Windows\SysWOW64\icacls.exe
PID 500 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Windows\SysWOW64\icacls.exe
PID 500 wrote to memory of 4304 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Windows\SysWOW64\icacls.exe
PID 500 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 500 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 500 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 4020 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3464 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\88C4.exe
PID 3464 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\88C4.exe
PID 3464 wrote to memory of 2928 N/A N/A C:\Users\Admin\AppData\Local\Temp\88C4.exe
PID 3464 wrote to memory of 464 N/A N/A C:\Windows\system32\cmd.exe
PID 3464 wrote to memory of 464 N/A N/A C:\Windows\system32\cmd.exe
PID 464 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 464 wrote to memory of 4492 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3464 wrote to memory of 2356 N/A N/A C:\Users\Admin\AppData\Local\Temp\973D.exe
PID 3464 wrote to memory of 2356 N/A N/A C:\Users\Admin\AppData\Local\Temp\973D.exe
PID 3464 wrote to memory of 2356 N/A N/A C:\Users\Admin\AppData\Local\Temp\973D.exe
PID 3464 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\A363.exe
PID 3464 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\A363.exe
PID 2356 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 4920 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\system32\cmd.exe
PID 464 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\system32\cmd.exe
PID 992 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 992 wrote to memory of 1700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 464 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 832 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 464 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\973D.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe

"C:\Users\Admin\AppData\Local\Temp\29645afd1579bf501163d73ffb4cefe7043e85b47f030a2c633d721a9b10efee.exe"

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\7df1bef0-3408-4ac0-ae86-00253b231c8e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

"C:\Users\Admin\AppData\Local\Temp\C0C0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

"C:\Users\Admin\AppData\Local\Temp\C0C0.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2292 -ip 2292

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 568

C:\Users\Admin\AppData\Local\Temp\88C4.exe

C:\Users\Admin\AppData\Local\Temp\88C4.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8C7E.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\973D.exe

C:\Users\Admin\AppData\Local\Temp\973D.exe

C:\Users\Admin\AppData\Local\Temp\A363.exe

C:\Users\Admin\AppData\Local\Temp\A363.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\973D.exe

"C:\Users\Admin\AppData\Local\Temp\973D.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\336F.exe

C:\Users\Admin\AppData\Local\Temp\336F.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 198.52.96.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
CO 190.249.149.134:80 sdfjhuz.com tcp
US 8.8.8.8:53 134.149.249.190.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 34.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 138.148.67.172.in-addr.arpa udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.192.62:443 valowaves.com tcp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 62.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 dildefotokopi.com udp
TR 185.195.254.134:443 dildefotokopi.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 134.254.195.185.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
US 8.8.8.8:53 4e68d405-bbe6-43c1-98a8-de88b060225b.uuid.realupdate.ru udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 server14.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
BG 185.82.216.96:443 server14.realupdate.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp

Files

memory/552-1-0x00000000020F0000-0x00000000021F0000-memory.dmp

memory/552-2-0x0000000001F90000-0x0000000001F9B000-memory.dmp

memory/552-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/3464-4-0x0000000003280000-0x0000000003296000-memory.dmp

memory/552-5-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

MD5 b4496d2224777403415440dfe5f13a86
SHA1 5c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256 d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA512 0bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158

memory/3092-16-0x0000000003A90000-0x0000000003B2A000-memory.dmp

memory/3092-17-0x0000000003C60000-0x0000000003D7B000-memory.dmp

memory/500-18-0x0000000000400000-0x0000000000537000-memory.dmp

memory/500-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/500-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/500-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/500-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4020-37-0x0000000003BF0000-0x0000000003C8E000-memory.dmp

memory/2292-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2292-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2292-43-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88C4.exe

MD5 74cf066c5c492eb825b36550b1e38326
SHA1 8f211213fbd6905b5e44bf2af07e481832198a7f
SHA256 24201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA512 24ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91

C:\Users\Admin\AppData\Local\Temp\8C7E.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2928-54-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/2928-56-0x0000000000F60000-0x0000000001B53000-memory.dmp

memory/2928-55-0x0000000003370000-0x0000000003371000-memory.dmp

memory/2928-57-0x0000000003380000-0x0000000003381000-memory.dmp

memory/2928-58-0x0000000000F60000-0x0000000001B53000-memory.dmp

memory/2928-59-0x0000000003390000-0x0000000003391000-memory.dmp

memory/2928-60-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/2928-61-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/2928-62-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/2928-63-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/2928-64-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/2928-65-0x00000000033F0000-0x00000000033F1000-memory.dmp

memory/2928-66-0x0000000003400000-0x0000000003401000-memory.dmp

memory/2928-67-0x0000000003410000-0x0000000003411000-memory.dmp

memory/2928-68-0x0000000003430000-0x0000000003431000-memory.dmp

memory/2928-69-0x0000000003440000-0x0000000003441000-memory.dmp

memory/2928-70-0x0000000003450000-0x0000000003451000-memory.dmp

memory/2928-71-0x0000000003460000-0x0000000003461000-memory.dmp

memory/2928-72-0x0000000003470000-0x0000000003471000-memory.dmp

memory/2928-73-0x0000000003480000-0x0000000003481000-memory.dmp

memory/2928-74-0x0000000003490000-0x0000000003491000-memory.dmp

memory/2928-75-0x00000000034A0000-0x00000000034A1000-memory.dmp

memory/2928-76-0x00000000034B0000-0x00000000034B1000-memory.dmp

memory/2928-77-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/2928-78-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/2928-79-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/2928-80-0x00000000034F0000-0x00000000034F1000-memory.dmp

memory/2928-81-0x0000000003500000-0x0000000003501000-memory.dmp

memory/2928-84-0x0000000003510000-0x0000000003542000-memory.dmp

memory/2928-85-0x0000000003510000-0x0000000003542000-memory.dmp

memory/2928-86-0x0000000003510000-0x0000000003542000-memory.dmp

memory/2928-87-0x0000000003510000-0x0000000003542000-memory.dmp

memory/2928-88-0x0000000003510000-0x0000000003542000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\973D.exe

MD5 1047d7617f162d488920965b0a8b876c
SHA1 059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA256 58b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512 698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac

memory/2356-95-0x0000000003F70000-0x0000000004370000-memory.dmp

memory/2356-97-0x0000000004370000-0x0000000004C5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A363.exe

MD5 618950cd2e0ce02df8b425c773d4b56e
SHA1 ef4fd4177dda63b61f12bcd073a9fa3cfa68bdbd
SHA256 d2efff8562fece66082dcedc6ef752b1e75be38d381b6310047c71d6e2ae1b97
SHA512 4feb227a295526b17cbb120b3d4698c4d0835b00aca669ce2d222a892fc129de9bc307387f8de1a4a7f98c29b11976edc814ad6f3e782e2d12c8aae165962e0b

C:\Users\Admin\AppData\Local\Temp\A363.exe

MD5 33668fdebf254ddd8af3b6385f01e27e
SHA1 ef5ea8dde1042c56e4e5903d8fd0b6ca5227b29c
SHA256 c742cef343418e086d205992ba824ad79e74024b040ef3f3f600efd005ed7475
SHA512 f9a4d72636db09b88d21f6640a3884b8bc3a6a672c52b5dce99d6193cbc37211812af5cd034d381035795a60b19bb7fd352ec9f03d79bb0661c625f3a1a270c4

memory/2356-100-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2928-101-0x0000000000F60000-0x0000000001B53000-memory.dmp

memory/4920-102-0x0000000002860000-0x0000000002896000-memory.dmp

memory/4920-103-0x0000000074780000-0x0000000074F30000-memory.dmp

memory/4920-104-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4920-106-0x0000000005120000-0x0000000005748000-memory.dmp

memory/4920-105-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4920-107-0x0000000004F20000-0x0000000004F42000-memory.dmp

memory/4920-108-0x00000000057C0000-0x0000000005826000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jokkrm4b.fiz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4920-109-0x0000000005830000-0x0000000005896000-memory.dmp

memory/4920-119-0x00000000059A0000-0x0000000005CF4000-memory.dmp

memory/4920-120-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/4920-121-0x0000000005E90000-0x0000000005EDC000-memory.dmp

memory/4920-122-0x00000000063B0000-0x00000000063F4000-memory.dmp

memory/4920-123-0x0000000006F80000-0x0000000006FF6000-memory.dmp

memory/4920-124-0x0000000007880000-0x0000000007EFA000-memory.dmp

memory/4920-125-0x0000000007220000-0x000000000723A000-memory.dmp

memory/4920-127-0x00000000073D0000-0x0000000007402000-memory.dmp

memory/4920-128-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/4920-129-0x0000000070AD0000-0x0000000070E24000-memory.dmp

memory/2356-126-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/4920-139-0x0000000007410000-0x000000000742E000-memory.dmp

memory/4920-141-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4920-140-0x000000007EFC0000-0x000000007EFD0000-memory.dmp

memory/4920-142-0x0000000007430000-0x00000000074D3000-memory.dmp

memory/4920-143-0x0000000007520000-0x000000000752A000-memory.dmp

memory/4920-144-0x00000000075E0000-0x0000000007676000-memory.dmp

memory/4920-145-0x0000000007540000-0x0000000007551000-memory.dmp

memory/4920-146-0x0000000007580000-0x000000000758E000-memory.dmp

memory/4920-147-0x0000000007590000-0x00000000075A4000-memory.dmp

memory/4920-148-0x0000000007680000-0x000000000769A000-memory.dmp

memory/4920-149-0x00000000075C0000-0x00000000075C8000-memory.dmp

memory/4920-152-0x0000000074780000-0x0000000074F30000-memory.dmp

memory/2920-155-0x00007FF77DC10000-0x00007FF77E872000-memory.dmp

memory/464-156-0x0000000004070000-0x000000000446C000-memory.dmp

memory/464-157-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2356-158-0x0000000003F70000-0x0000000004370000-memory.dmp

memory/2356-159-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1172-160-0x0000000074780000-0x0000000074F30000-memory.dmp

memory/1172-161-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/1172-162-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/1172-172-0x0000000070970000-0x00000000709BC000-memory.dmp

memory/1172-173-0x000000007F290000-0x000000007F2A0000-memory.dmp

memory/1172-174-0x0000000070AD0000-0x0000000070E24000-memory.dmp

memory/1172-184-0x0000000007B10000-0x0000000007BB3000-memory.dmp

memory/1172-185-0x0000000005490000-0x00000000054A0000-memory.dmp

memory/1172-186-0x0000000007E40000-0x0000000007E51000-memory.dmp

memory/1172-187-0x0000000007E90000-0x0000000007EA4000-memory.dmp

memory/1172-190-0x0000000074780000-0x0000000074F30000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/2920-192-0x00007FF77DC10000-0x00007FF77E872000-memory.dmp

memory/464-193-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/832-195-0x00000000048F0000-0x0000000004900000-memory.dmp

memory/832-194-0x0000000074780000-0x0000000074F30000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e1d0675341bc0b795e031910b032138a
SHA1 f17b8eb408142161f058e16f1b4997e7ba2ed706
SHA256 fdf165e4ba4f45cf8bb6a3f9737fe00a7353ba9aa6f1048a5c3232f0031a074c
SHA512 60816e982a9162fb1649e3772d59089fcfaed5cb394d33892db9207d2d95d355dfa4c792654dfe9253bf15dad6a887abd4c8c5cfcef1f102fdb1d1fc733aad4b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4f670ee42cadd94bd6695c324be6ac4b
SHA1 e8c689da2d9181aeebfa83332a6cd453930537ab
SHA256 96af4ed93008c8e63c974fa0bad47b008c0c0585fe7c0c5b8f007cc69b3c334f
SHA512 20c181a66adaf7cbc35d4707007639e0cb283116f1103e6ffdc81efc9e00939a8ae006820dce82f046f150e2281fdbbd7034787eae6c3d9d3d40a4d818a4bf70

C:\Windows\rss\csrss.exe

MD5 3598076db97a10ec5dbf02282e499a12
SHA1 7dc81f6042b58e20c37e62b3c40e8f162426aae7
SHA256 5f66fd9993f986d609cb2d2a0c1483e9a963b1f8cd42d7137d90c3c3c3ad1299
SHA512 66b955e6a99b8e86a4d9735279506f963db0dd8fca28357e2d4e00ed7a64f980a0c10b1781e25105de8c39226ec4672337147803d00857de34139b0763512c13

C:\Windows\rss\csrss.exe

MD5 e31e017c97820e6188b934e0ec3063ab
SHA1 ae31efa705255a2e7212527de439c65b1629db82
SHA256 18acfc2b6a4518fffd7e44a4c73b8a1dee5a55cc0cf885b9ec79d7ea53239007
SHA512 8130999f465b3d13d4a6e188b1175bd931570d4395f87a815d97d6000f9574ae39580eb3803f4cc03730c4acdcede430acc3bea630f195fad45e7ecbbe001197

memory/464-258-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2920-260-0x00007FF77DC10000-0x00007FF77E872000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 707526883a6475124f6a510cab013ba6
SHA1 bcce478b85ffdd73036d7a857901814eb728b730
SHA256 e07066d7af895e966076f605d4f5e517ad9d45b9b48eefd4905f4e7c7d5070e6
SHA512 b8c4403417ee9cf00efe3b649d4d44d7956942ac0aa602c0b48ca91d8f84f5427d2e38047d0d811cd100cb2db370523b3a6eb7e2e81cfad19a129a19835b34a4

C:\Users\Admin\AppData\Local\Temp\336F.exe

MD5 c96c8f6bb68d339098dbc8885d27007a
SHA1 880ab4e7a89e9a58056a6a6650fc3bca6beb8b77
SHA256 e132abb3e01c827c071cdcc5493929c49afa801198697e7539e42e8d05f06aa5
SHA512 c99de85da1ae9d460d0630f789325e40d49a9cd78fa150a61e72bd4185ec979b4a969332a46c2d994bbf1b0361f7cbc5bb0071a6a58ea3bd09f18b5ed5619758

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 01f288b841c906f73b555f812efa2d1e
SHA1 7438ba0ab2a3fe7b6fdf3e1a172d3d0eab09d537
SHA256 8b04fe91632a2f9526a95abdc482f14564bce88e23f7d7fae7f561ca990eec00
SHA512 014e287d88227cb16d661b95a839f7e0ae4a029865bb2ba2dbda7db49c2bc64da1524dbd3cf0619cfe9ed1f897b5fc4c33ed1796893843e90be963198ea5b6ea

memory/2920-313-0x00007FF77DC10000-0x00007FF77E872000-memory.dmp

memory/1692-316-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c918c5db14a0b4f79698289ad80ec73
SHA1 63e347661974491d72f37abd335b882fb3ca9006
SHA256 1239b504afae0a8881ac19ad328a74054c4cd2429610f03af9883b133f5fd2ef
SHA512 f7fe0fcaaef743000034dbc289b2452c98c98083feaa1e895947a2c56ded62adab988cf53cdc1fde78f527f51c8686995942781a9481c1936c12ff1d57a965d0

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2920-369-0x00007FF77DC10000-0x00007FF77E872000-memory.dmp

memory/1692-370-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3488-380-0x0000000000400000-0x00000000008DF000-memory.dmp