Malware Analysis Report

2025-01-02 11:12

Sample ID 240307-cnsd5adc22
Target 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe
SHA256 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69
Tags
dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69

Threat Level: Known bad

The file 336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma rootkit upx

Djvu Ransomware

Detect Vidar Stealer

Windows security bypass

SmokeLoader

Vidar

Glupteba payload

DcRat

Glupteba

Detected Djvu ransomware

Lumma Stealer

Detects executables containing artifacts associated with disabling Widnows Defender

UPX dump on OEP (original entry point)

Detects executables containing URLs to raw contents of a Github gist

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables Discord URL observed in first stage droppers

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects Windows executables referencing non-Windows User-Agents

Downloads MZ/PE file

Modifies Windows Firewall

Modifies file permissions

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Deletes itself

Windows security modification

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies system certificate store

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 02:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 02:13

Reported

2024-03-07 02:16

Platform

win7-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\62f0ed28-cadd-4879-bef8-d9a5ebe5bd57\\CFCD.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CFCD.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\EE18.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\EE18.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1650401615-1019878084-3673944445-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\62f0ed28-cadd-4879-bef8-d9a5ebe5bd57\\CFCD.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CFCD.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240307021539.cab C:\Windows\system32\makecab.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EE18.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 1216 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 1216 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 1216 wrote to memory of 2700 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2700 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Windows\SysWOW64\icacls.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Windows\SysWOW64\icacls.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Windows\SysWOW64\icacls.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Windows\SysWOW64\icacls.exe
PID 2560 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2560 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2560 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2560 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2608 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\Temp\CFCD.exe
PID 2852 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2852 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2852 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2852 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 2324 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe
PID 1968 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1968 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1968 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 1968 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2852 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\CFCD.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2584 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2584 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2584 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2584 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2584 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2584 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe
PID 2584 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe

"C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe"

C:\Users\Admin\AppData\Local\Temp\CFCD.exe

C:\Users\Admin\AppData\Local\Temp\CFCD.exe

C:\Users\Admin\AppData\Local\Temp\CFCD.exe

C:\Users\Admin\AppData\Local\Temp\CFCD.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\62f0ed28-cadd-4879-bef8-d9a5ebe5bd57" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\CFCD.exe

"C:\Users\Admin\AppData\Local\Temp\CFCD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\CFCD.exe

"C:\Users\Admin\AppData\Local\Temp\CFCD.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe

"C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe"

C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe

"C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 1444

C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe

"C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe"

C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe

"C:\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\B59A.exe

C:\Users\Admin\AppData\Local\Temp\B59A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\C860.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\EE18.exe

C:\Users\Admin\AppData\Local\Temp\EE18.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240307021539.log C:\Windows\Logs\CBS\CbsPersist_20240307021539.cab

C:\Users\Admin\AppData\Local\Temp\EE18.exe

"C:\Users\Admin\AppData\Local\Temp\EE18.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\taskeng.exe

taskeng.exe {D0E052A5-61C6-4C1F-97EC-8E9D37EA258F} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\5FFD.exe

C:\Users\Admin\AppData\Local\Temp\5FFD.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
PA 190.219.225.210:80 sdfjhuz.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 sajdfue.com udp
PA 190.219.225.210:80 sdfjhuz.com tcp
KR 211.171.233.129:80 sajdfue.com tcp
KR 211.171.233.129:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 104.21.51.193:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 172.67.192.62:443 valowaves.com tcp
US 8.8.8.8:53 941cdbfd-4531-48b9-b88d-e785dcdae75d.uuid.realupdate.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dildefotokopi.com udp
TR 185.195.254.134:443 dildefotokopi.com tcp
TR 185.195.254.134:443 dildefotokopi.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
LU 31.216.144.5:443 mega.nz tcp
LU 31.216.144.5:443 mega.nz tcp

Files

memory/3012-1-0x0000000001FD0000-0x00000000020D0000-memory.dmp

memory/3012-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/3012-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/1216-4-0x0000000001C50000-0x0000000001C66000-memory.dmp

memory/3012-5-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/3012-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CFCD.exe

MD5 b4496d2224777403415440dfe5f13a86
SHA1 5c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256 d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA512 0bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158

memory/2700-18-0x0000000001F90000-0x0000000002022000-memory.dmp

memory/2560-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2700-19-0x0000000001F90000-0x0000000002022000-memory.dmp

memory/2700-20-0x0000000003830000-0x000000000394B000-memory.dmp

memory/2560-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-29-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2560-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2608-54-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2608-55-0x0000000000300000-0x0000000000392000-memory.dmp

memory/2852-62-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-63-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 b7291f30989eedd9466dcaff927dc554
SHA1 a8d9a4f2c2fd9add1aeb7d9adbc7e30bc0926345
SHA256 14990f15298b4d4ec96d9c5e028fe9fdd97c54ae9b16ecb6e7a9420f151b5af4
SHA512 c57dc74633fc53b67a8d9e90a5984dc6c8f5e49097eb035fe4a6d63236dcb51b2d6f2f5f335da7667e5de33524f3db94aba32c7ae2b9b667f7c26bd997a90b09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 285f2d7ac11b816c0b93dddd72f3f074
SHA1 70bfc113e962459afabde81294847754bf7ae540
SHA256 fa170ab755d01dd13745aa6c2bbc19a90b57ff0abf67574147a2389e97899939
SHA512 5c0148dd35a8a626d003269910b7ca283bd3619d658f968d04b268674f188e6f00ba5f26dc1f59847e02929770d70075546027fc5e1e2cff85ffb93c71b7797e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ffef80a14cab4c98248439f75c174e1f
SHA1 06827e26886753419cbc8b86e54fa9ac0f90fa3a
SHA256 40b5425dee42adc6fccf194967c16141f2bc018d0f890ba5a03c9241631261ed
SHA512 83de2bab2f095550b86193f0169a102a67d9dd61122f7697be5c9a021324df5e6438cc965b1c4879eace3c8f046a61cabd7992136987d6aae17d45f97f5392cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 53885b90d04f16cf0b29c5be4b7050fd
SHA1 a6de8a2c4863d53331842c5f3972903f0c27b8c0
SHA256 1220b7dab5d7a7dcfcc4bc6b0f7be81ab10d074d2c14b748dd1a31d23ce0c66a
SHA512 166af995144930636b39e5e190e838e057e3a33946b2d5750641278d728484bb2a42666fb0166753e7ae70682b8086d0106ffde518126c2c2f0cc773fe4b790b

C:\Users\Admin\AppData\Local\Temp\CabF518.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2852-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-79-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-86-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-85-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-90-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build2.exe

MD5 d37b17fc3b9162060a60cd9c9f5f7e2c
SHA1 5bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA256 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA512 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

memory/1968-101-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1968-104-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2324-105-0x0000000000230000-0x0000000000262000-memory.dmp

memory/2324-103-0x0000000002060000-0x0000000002160000-memory.dmp

memory/1968-108-0x0000000000400000-0x0000000000645000-memory.dmp

memory/1968-109-0x0000000000400000-0x0000000000645000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar276F.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar29B6.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/1968-244-0x0000000000400000-0x0000000000645000-memory.dmp

\Users\Admin\AppData\Local\00f6f27b-fa38-4f0a-b273-962170a5e16c\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2852-259-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1968-261-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2584-268-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1604-269-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2584-266-0x0000000000910000-0x0000000000A10000-memory.dmp

memory/1604-265-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1604-272-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1604-273-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B59A.exe

MD5 74cf066c5c492eb825b36550b1e38326
SHA1 8f211213fbd6905b5e44bf2af07e481832198a7f
SHA256 24201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA512 24ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91

memory/2772-286-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2772-289-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2772-288-0x00000000002E0000-0x0000000000ED3000-memory.dmp

memory/2772-291-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2772-292-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2772-293-0x0000000077680000-0x0000000077681000-memory.dmp

memory/2772-295-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2772-297-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2772-298-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2772-300-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2772-302-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2772-305-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2772-330-0x000000007767F000-0x0000000077680000-memory.dmp

memory/2772-339-0x0000000077680000-0x0000000077681000-memory.dmp

memory/2772-352-0x000000007767F000-0x0000000077680000-memory.dmp

memory/2772-362-0x000000007767F000-0x0000000077680000-memory.dmp

memory/2772-375-0x000000007767F000-0x0000000077680000-memory.dmp

memory/2772-389-0x0000000077680000-0x0000000077681000-memory.dmp

memory/2772-388-0x000000007767F000-0x0000000077680000-memory.dmp

memory/2772-408-0x000000007767F000-0x0000000077680000-memory.dmp

memory/2772-413-0x000000007767F000-0x0000000077680000-memory.dmp

memory/2772-414-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

\Users\Admin\AppData\Local\Temp\B59A.exe

MD5 76d3f6ebd5a112d28612b56c8d2ec630
SHA1 5c2ee37980e6891c99ba37f3e1dbac7d6464d28c
SHA256 a1a21f50505f0a5df0e2112d6b0b1caaa4ebf1364fa77aba868f892c6ba60bd8
SHA512 4df2910d59dc9d9693fc0515563324057b7da4b47415f43abe448cdad34b31141edcdc14ca0c220b0c20089f4e06084a3cc3db570d5b9a26698dbf98ac9acd48

\Users\Admin\AppData\Local\Temp\B59A.exe

MD5 25ae5380a1a131b5041d3af212f432e3
SHA1 7f0daff0e5704c67ba44ba05dd2e6757135be045
SHA256 4b5897c9ed085512050eceaa61f96b38f61a7618c7f97205dd0681edca1eb6b3
SHA512 c48a29e95c7fdd09cb5acb08b3af39cdcbf91b2c8d9098ce50d01191fa321c5a731512c3521712e39f58b3e775d19aac760cee7ba93eba22d5bae7e7a6b26d06

C:\Users\Admin\AppData\Local\Temp\C860.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df33ab6ebe23da23f57278ee8961a602
SHA1 4fcb3c0622fa668afb7e0bf2936887b1d69b15d2
SHA256 08868f1867d749ae51781de29203f7401999387b61a39526e81e89ab3eb25e14
SHA512 07fa41f5b15ce09ffaac5ecaf2e0bc00fe57001756d1ee6acafd9e97f0f2c9206a1d7daeba449d893414dfc3b999136ec7f8817e5218a378701fbeac939a21b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d98fe527683059c575a9759a0b8601cf
SHA1 716a396013940719f286c80543051ee40c6d1643
SHA256 8b945577f641fc33c48a0b67e62ba39268a84d6e4d94eff37b7c42637a54c1b2
SHA512 d891eaa5d1d671b3d26e77ec15743c908438accd8aa95f00922b9b83b396d9c4c28e9961750b7cf81e0a3d6c55aa27def9e64521697b78d85bcbba6b50b02d34

C:\Users\Admin\AppData\Local\Temp\EE18.exe

MD5 1047d7617f162d488920965b0a8b876c
SHA1 059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA256 58b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512 698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac

memory/2844-502-0x0000000003C50000-0x0000000004048000-memory.dmp

memory/2844-503-0x0000000004050000-0x000000000493B000-memory.dmp

memory/2844-504-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE18.exe

MD5 b46893b3e9688ba959fdecf4aeeb28bc
SHA1 e1a571b0b7f2ba89739891341fa08c4badddc5db
SHA256 2c48fe6d6e5e2feb5c6944f40c1b0556fc6ec016a658d2162e8bebefb42dcbe8
SHA512 43c5f8c92cbb9d510464096891d67ef35501d0c22363b9fff551f7e009836ec4f4846346446a1d813c4a7ccc50d086e29d960b19593990ba0d4a90c2a1414cda

memory/2844-511-0x0000000003C50000-0x0000000004048000-memory.dmp

memory/2844-512-0x0000000004050000-0x000000000493B000-memory.dmp

memory/2844-510-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2548-514-0x0000000003DF0000-0x00000000041E8000-memory.dmp

memory/2548-515-0x0000000000400000-0x00000000022EF000-memory.dmp

\Windows\rss\csrss.exe

MD5 3a6db6c0f13f06a9cc51522b4172c8c8
SHA1 33911747fbebb8bde57d0daa28a9e5eda125e10f
SHA256 2e72fd2ff0ef0d9848230eb4ac0351df155b6908d550451dbd03697475aa3f67
SHA512 230ee359647d6c92263bcb06d6808764f61a5eacaa09dd4bea435734611e1e0ff70d39b549cd5696821d66dc296b0c6bc719259962b9da9492c7a11e6671da61

C:\Windows\rss\csrss.exe

MD5 378e6564d9b8b3dc81fc29d13fa7faae
SHA1 5a1fe5183b251397f952862240cd2f5824b7547d
SHA256 b28f205c74ba6faec74bdc7a177feb4c3edbe6c18595a03840f06667a02205e4
SHA512 5e35b810e460b275ce78d9a8aec032f5a0589688012a450372eddc1af3ceed0479be65334e80a8f1997eb5a5797072f0ab4dbd098324400fc8507d03d2b7f200

\Windows\rss\csrss.exe

MD5 e61efdd4c02b77edb530609142cf51cd
SHA1 da433bb906aa9155387b90472b4b5edbccee3fc8
SHA256 d5af7467fc80b286e342730e8daa6348f32c58a2a44939a9f31ff42c676fc200
SHA512 b2fb4f063a0bed44a18ff49ba46c49ca6ff72f579188f58aba940dadf17b1f1c217dc7deacac77e66def3923e02b9926fa9067c19b2f3c89c6f40f07a539db6a

memory/2548-528-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2184-530-0x0000000003C90000-0x0000000004088000-memory.dmp

memory/2184-531-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9b0ca69cba81b94d96de4dfc93596c87
SHA1 ba8dee8e28457e217e28a2a78e663e02fcee7b59
SHA256 cf99562a08fcc3deee8191be8932c62c31674a4fe09086727fe458c7f7c6dac9
SHA512 e43560d8e87ba88af9cefc45b234202c832230fbd74cd495dec724f5ee00d84e8a0f09f4de0ea1809f23077a7bd097b943f85494a01f4f4627a96aa08d53ef95

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 0a336e7486c388f2f3b9d0137d65a1f5
SHA1 7c3abeea1676fce225350384ae5710d76469e551
SHA256 fa67f3408a1b52b20aa7352ee094b7fb7b2a7fcea96a92eb53ce26daa1aa55b5
SHA512 44ab17e45ae164af935bbc78b2579e49fcc24afd53e89315a0bb41ee0559768ca8af82f0311de335ddd0bce668c2b11dcdcc5b2d938809ad303310702db207f1

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/668-538-0x0000000000410000-0x00000000009F8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 23302d8f2f5fde0c9c91524a16498bcf
SHA1 dd8a8f4cef0a2488df7b315bc9319df475a59057
SHA256 26eada015e4797bbfc0a05aa6123edbe425551d849dee2da36dac2849d860908
SHA512 b28bedf211eac38e0c94247c9e547035d2fccf335745971e61b43b8c1a681ab78a976c4f18af5ffd6779ca17c64066eac16248633f27a08edc8d542a2c0cf81a

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1f75e653004692c56ba29f450b71ca86
SHA1 e0d9e9482f2ff759cb155b921f81f4c895cd1501
SHA256 c3730b5158a1f03445ede701b65982d8e1dc1997bbd36cde8c8b9103167cbfb8
SHA512 a35cc3007152dd1b33bd5258142708e693573548f02bad2b0b589bdc87a88766efb5c32f1b865408b05955a12f776b5123b66543f043505e848f73ec4f0d0237

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 0138459f3682fb6f7347606919af5b8f
SHA1 98c101576e861a5e2fc7ff992306a26d37e1d283
SHA256 2910d7b207a0e1931a204743859a27085895495382757932b9b363deb2c250cb
SHA512 c55f97aedd9053faea5490cdae100b54102840cb26f33f2a314d3b7ca131a4a06b40e93bf1bf3ebff493e980354a4359713a4e9ea46ac6593eb4dfccd9337b5a

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 36faf3a793dbb6e80cd9ec2282ae4404
SHA1 6118ce7d7e64040e97018d6d4383ddfb6f1394e5
SHA256 f8785b8eef542d5f08fdcb9d8d275aab8d8980dece2e4e5c7f26df3b02879cec
SHA512 f395e3d2c71117f5b8256ec25172f280ae74b99e4e7c3eec40e21ab14d486dfaeed3851437851deab9c7c54c3725b3c5a485e562cdd02e548ee9edd1df031e8e

memory/668-558-0x00000000004B0000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5e1f788a5b458eff999e9b72c376bbc
SHA1 36ef21945436e9793dc4516deebf170a8e52ef21
SHA256 710360fb3d774576ca9e38a76ddce77acaa7f432d2f799324c21bf4374ec3abe
SHA512 c4091fa176d676ae89497b5b622de5a68edc7fb77beebf8986a3e22df03c29a281585421edef1690bbf873ee63f32edae236acdd5c55495d0dcb4490261c0667

\Users\Admin\AppData\Local\Temp\5FFD.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/1784-632-0x0000000000880000-0x0000000000980000-memory.dmp

memory/2184-642-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/668-643-0x0000000000410000-0x00000000009F8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-07 02:13

Reported

2024-03-07 02:16

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AE60.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6d8992a8-b344-4c75-9787-37dd025ff4c3\\AE60.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\AE60.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2160 set thread context of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 set thread context of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1501 = "Turkey Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2752 = "Tomsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-891 = "Morocco Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3416 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 3416 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 3416 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 2160 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4704 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Windows\SysWOW64\icacls.exe
PID 4704 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Windows\SysWOW64\icacls.exe
PID 4704 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Windows\SysWOW64\icacls.exe
PID 4704 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4704 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4704 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 4072 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\AE60.exe C:\Users\Admin\AppData\Local\Temp\AE60.exe
PID 3416 wrote to memory of 4820 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDD9.exe
PID 3416 wrote to memory of 4820 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDD9.exe
PID 3416 wrote to memory of 4820 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDD9.exe
PID 3416 wrote to memory of 684 N/A N/A C:\Windows\system32\cmd.exe
PID 3416 wrote to memory of 684 N/A N/A C:\Windows\system32\cmd.exe
PID 684 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 684 wrote to memory of 3152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3416 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe
PID 3416 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe
PID 3416 wrote to memory of 3764 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe
PID 3764 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3416 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BD4.exe
PID 3416 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\1BD4.exe
PID 2412 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\system32\cmd.exe
PID 2412 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\system32\cmd.exe
PID 1236 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1236 wrote to memory of 224 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2412 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2412 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\rss\csrss.exe
PID 2412 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\rss\csrss.exe
PID 2412 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\BA6.exe C:\Windows\rss\csrss.exe
PID 1612 wrote to memory of 3904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 3904 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1612 wrote to memory of 4472 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe

"C:\Users\Admin\AppData\Local\Temp\336454ac34e8f8e0a87e35d3e140b5507a59fd100211f19c9f52829fb94ebe69.exe"

C:\Users\Admin\AppData\Local\Temp\AE60.exe

C:\Users\Admin\AppData\Local\Temp\AE60.exe

C:\Users\Admin\AppData\Local\Temp\AE60.exe

C:\Users\Admin\AppData\Local\Temp\AE60.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\6d8992a8-b344-4c75-9787-37dd025ff4c3" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AE60.exe

"C:\Users\Admin\AppData\Local\Temp\AE60.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AE60.exe

"C:\Users\Admin\AppData\Local\Temp\AE60.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3476 -ip 3476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 568

C:\Users\Admin\AppData\Local\Temp\FDD9.exe

C:\Users\Admin\AppData\Local\Temp\FDD9.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\174.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\BA6.exe

C:\Users\Admin\AppData\Local\Temp\BA6.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3516 -ip 3516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3516 -s 2496

C:\Users\Admin\AppData\Local\Temp\BA6.exe

"C:\Users\Admin\AppData\Local\Temp\BA6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 198.52.96.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
KR 211.171.233.129:80 sdfjhuz.com tcp
US 8.8.8.8:53 129.233.171.211.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 loftproper.com udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 138.148.67.172.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 75.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dildefotokopi.com udp
TR 185.195.254.134:443 dildefotokopi.com tcp
US 8.8.8.8:53 134.254.195.185.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 6d6c0a0d-5e05-4b4e-9528-0489c64807d9.uuid.realupdate.ru udp
US 8.8.8.8:53 server7.realupdate.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server7.realupdate.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
BG 185.82.216.96:443 server7.realupdate.ru tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 13.107.21.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 59.189.79.40.in-addr.arpa udp

Files

memory/3628-1-0x0000000002150000-0x0000000002250000-memory.dmp

memory/3628-2-0x0000000003B00000-0x0000000003B0B000-memory.dmp

memory/3628-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/3416-4-0x00000000032F0000-0x0000000003306000-memory.dmp

memory/3628-5-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AE60.exe

MD5 b4496d2224777403415440dfe5f13a86
SHA1 5c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256 d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA512 0bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158

memory/2160-16-0x0000000002210000-0x00000000022A4000-memory.dmp

memory/2160-17-0x0000000003C90000-0x0000000003DAB000-memory.dmp

memory/4704-18-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4704-20-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4704-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4704-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4704-34-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4072-37-0x0000000003BB0000-0x0000000003C44000-memory.dmp

memory/3476-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3476-41-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3476-43-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FDD9.exe

MD5 74cf066c5c492eb825b36550b1e38326
SHA1 8f211213fbd6905b5e44bf2af07e481832198a7f
SHA256 24201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA512 24ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91

memory/4820-53-0x0000000001C60000-0x0000000001C61000-memory.dmp

memory/4820-54-0x0000000000C10000-0x0000000001803000-memory.dmp

memory/4820-56-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

memory/4820-55-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

memory/4820-57-0x0000000001CE0000-0x0000000001CE1000-memory.dmp

memory/4820-58-0x0000000000C10000-0x0000000001803000-memory.dmp

memory/4820-59-0x0000000003860000-0x0000000003861000-memory.dmp

memory/4820-60-0x0000000003870000-0x0000000003871000-memory.dmp

memory/4820-61-0x0000000003880000-0x0000000003881000-memory.dmp

memory/4820-62-0x0000000003890000-0x0000000003891000-memory.dmp

memory/4820-63-0x00000000038A0000-0x00000000038A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\174.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/4820-65-0x00000000038B0000-0x00000000038B1000-memory.dmp

memory/4820-66-0x00000000038C0000-0x00000000038C1000-memory.dmp

memory/4820-67-0x00000000038D0000-0x00000000038D1000-memory.dmp

memory/4820-68-0x00000000038E0000-0x00000000038E1000-memory.dmp

memory/4820-69-0x00000000038F0000-0x00000000038F1000-memory.dmp

memory/4820-70-0x0000000003900000-0x0000000003901000-memory.dmp

memory/4820-71-0x0000000003910000-0x0000000003911000-memory.dmp

memory/4820-72-0x0000000003920000-0x0000000003921000-memory.dmp

memory/4820-73-0x0000000003930000-0x0000000003931000-memory.dmp

memory/4820-74-0x0000000003940000-0x0000000003941000-memory.dmp

memory/4820-75-0x0000000003A60000-0x0000000003A61000-memory.dmp

memory/4820-76-0x0000000003A70000-0x0000000003A71000-memory.dmp

memory/4820-77-0x0000000003A80000-0x0000000003A81000-memory.dmp

memory/4820-78-0x0000000003A90000-0x0000000003A91000-memory.dmp

memory/4820-79-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

memory/4820-80-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

memory/4820-81-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

memory/4820-84-0x0000000003AD0000-0x0000000003B02000-memory.dmp

memory/4820-85-0x0000000003AD0000-0x0000000003B02000-memory.dmp

memory/4820-86-0x0000000003AD0000-0x0000000003B02000-memory.dmp

memory/4820-87-0x0000000003AD0000-0x0000000003B02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA6.exe

MD5 1047d7617f162d488920965b0a8b876c
SHA1 059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA256 58b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512 698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac

memory/4820-92-0x0000000000C10000-0x0000000001803000-memory.dmp

memory/3764-94-0x0000000003F20000-0x000000000431C000-memory.dmp

memory/3764-95-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/3764-96-0x0000000004320000-0x0000000004C0B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

MD5 0081df746d75e350b73b1657e6fba9a8
SHA1 8ccb0eb4d6e68dfee2e1025faba62676a036d3b6
SHA256 f40e93c8dffce686a76677574afa472fa1083088d43e1c9e022d64abad0f4146
SHA512 26d6f35778e41fe6ff14d426af45b26b452a683f9a1737bdae21c05262dfb65618169b34275f9df69b68d6c41a87b6d259406e11feb1ab11e2b0f916b9958ca0

C:\Users\Admin\AppData\Local\Temp\1BD4.exe

MD5 c7ef32eedfb940964ab274fe65ef863f
SHA1 23032f5869cadc3711b9a7089aaec15d2727ff33
SHA256 fae7d1e4f7ac2797d2b2e4bdd814236bcdb1f6e7b58d7ec027e5fd9d8043579d
SHA512 eb7ebd37fcb51dd4dbb243cfc86993d65ba28ff6d5548a6728329a51245610c561810e5f2e9f0c8031ea8c75a200f65e2b5d4634889433afbb0717da692fcddd

memory/3516-101-0x0000000002C30000-0x0000000002C66000-memory.dmp

memory/3516-102-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/3516-104-0x0000000005300000-0x0000000005928000-memory.dmp

memory/3516-103-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/3516-105-0x0000000002C20000-0x0000000002C30000-memory.dmp

memory/3516-106-0x0000000005240000-0x0000000005262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xitrddyo.mkx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3516-117-0x0000000005D00000-0x0000000005D66000-memory.dmp

memory/3516-107-0x0000000005B20000-0x0000000005B86000-memory.dmp

memory/3516-118-0x0000000005D70000-0x00000000060C4000-memory.dmp

memory/3516-119-0x00000000061F0000-0x000000000620E000-memory.dmp

memory/3516-120-0x0000000006230000-0x000000000627C000-memory.dmp

memory/3516-121-0x0000000006750000-0x0000000006794000-memory.dmp

memory/3516-122-0x0000000007530000-0x00000000075A6000-memory.dmp

memory/3516-123-0x0000000007C30000-0x00000000082AA000-memory.dmp

memory/3516-124-0x00000000075D0000-0x00000000075EA000-memory.dmp

memory/3516-125-0x0000000007780000-0x00000000077B2000-memory.dmp

memory/3516-127-0x0000000070E20000-0x0000000070E6C000-memory.dmp

memory/3516-126-0x000000007F840000-0x000000007F850000-memory.dmp

memory/3516-128-0x0000000070FA0000-0x00000000712F4000-memory.dmp

memory/3516-138-0x00000000077C0000-0x00000000077DE000-memory.dmp

memory/3516-139-0x00000000077E0000-0x0000000007883000-memory.dmp

memory/3516-140-0x00000000078D0000-0x00000000078DA000-memory.dmp

memory/3516-141-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/3764-142-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2412-145-0x0000000004040000-0x0000000004446000-memory.dmp

memory/2412-146-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/8-147-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/8-148-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/8-149-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/8-150-0x0000000005D70000-0x00000000060C4000-memory.dmp

memory/8-160-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/8-162-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/8-163-0x00000000716C0000-0x0000000071A14000-memory.dmp

memory/3396-161-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp

memory/8-164-0x000000007F800000-0x000000007F810000-memory.dmp

memory/8-175-0x00000000075E0000-0x0000000007683000-memory.dmp

memory/8-174-0x0000000004E80000-0x0000000004E90000-memory.dmp

memory/8-176-0x00000000079D0000-0x0000000007A66000-memory.dmp

memory/8-177-0x00000000078F0000-0x0000000007901000-memory.dmp

memory/8-178-0x0000000007930000-0x000000000793E000-memory.dmp

memory/8-179-0x0000000007940000-0x0000000007954000-memory.dmp

memory/8-180-0x0000000007980000-0x000000000799A000-memory.dmp

memory/8-181-0x0000000007970000-0x0000000007978000-memory.dmp

memory/8-184-0x0000000075020000-0x00000000757D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/3984-186-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/3984-188-0x00000000049C0000-0x00000000049D0000-memory.dmp

memory/3984-187-0x00000000049C0000-0x00000000049D0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 91a3f972254aa432cc7e8ed2a3fb9f5f
SHA1 225177f510fc2e81e587020d00f2cfb2732f5315
SHA256 d61ac12cd944b0f17b19f6a16002c6cca960c28accce44ecb03d124cdd86631f
SHA512 7ea14a012efab3d26f4fa4a49303e06313f694f33506324da8c13b8b66ff46800c4889e9acfd3688441ec930968d7bf3f42c714bed7c98eee1820b06ad9531af

memory/3984-199-0x0000000070F20000-0x0000000070F6C000-memory.dmp

memory/3984-201-0x00000000716C0000-0x0000000071A14000-memory.dmp

memory/2412-200-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7ffd92edc796dfe039ddc0fcc9198fee
SHA1 0f29f5aec17d91d6971c6ef8a00fd85e568bf374
SHA256 dc1ad90e8c1f4df414728e49877d89edc59c7db3c9ee86791c447d612ab9b3b7
SHA512 dc9aed3b0fc37d40bcf6d131f0622d515e518bf3e6aee2cee48cfcf04deebf32af8ad8f5390a26178defd1b86d58b61ee737997053aae369c4ba27ec030d5aa2

C:\Windows\rss\csrss.exe

MD5 e2fa77d881933ea644c3edd1c96d70d5
SHA1 b1853d17f7559c44f9d3f678918352422ff17915
SHA256 220855025402eab41b35b82fdcd0cd8b97d7a1b1153255f4319286c3ab4cb532
SHA512 4979b6ef65545b81dd90b702781020dda0064c709246bc368587bd92ac36eeeff87d7987cc2278951764af6c812e2d8e60f6dc40b8a3fa7ba06fd7bcc03aaf74

memory/2412-247-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/3396-250-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 48f6b6571e047927fa861b119b168571
SHA1 cf8147ca8f2860be7a13f88bffb1734911fcfff7
SHA256 a21e09f2b6a36f51e9704bad8d85826e257a0a5caf1f56ccf513dfad1391943e
SHA512 ba362880c6ff6f68ec275f03729448d42c20b4d0c46521b44d6c429a05246efe9729f5d271d3cf359bb135b6dd2a1a35c9c320c90b657a402933e657d0771f2f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 598e3c2206a47302d53ed4dd572a52b6
SHA1 865d32124075db660e480e0e415dfd8afb804346
SHA256 fb4e75453d80cab3accdcca0189c31c10eedc364ec44dfeddc97ebfd34258f4f
SHA512 fd911e297def311c7eb756cf97bc2f3bcac0099039f01dbe4ed4cc1d2ce4db35f705fdbcea7509bc729562e50a4a2a969772d8fbe5cdb3f0f30e96208bbc644d

memory/3396-316-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp

memory/1612-317-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 91cd7911a4f06d3a85122f3619fa1f6e
SHA1 ced2107ecb80fac8faa3c1261b1e7ea1203967e1
SHA256 1ea0f323ab85d39ec98cc3478dd76079967ea6e3efdc387ba45b239f1c735d79
SHA512 6cf55fcbe0c47148499d179ff7facc8417a00add6f3ea17bb6c57cb1afe1e3efd2e29a3c8fece6afa5939cb48b61d2897ec13e17d04be941b84c38e5e7056128

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/3396-352-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp

memory/1612-353-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3564-361-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3396-362-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp

memory/1612-363-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2500-364-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3396-365-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp

memory/1612-366-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/3396-368-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp

memory/1612-369-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2500-370-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3396-371-0x00007FF7640A0000-0x00007FF764D02000-memory.dmp