Malware Analysis Report

2025-01-02 11:12

Sample ID 240307-dg185aef71
Target cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe
SHA256 cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6
Tags
dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma zgrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6

Threat Level: Known bad

The file cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar e2da5861d01d391b927839bbec00e666 pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma zgrat

Lumma Stealer

Detect ZGRat V1

Glupteba payload

Windows security bypass

Vidar

SmokeLoader

Detected Djvu ransomware

Glupteba

ZGRat

DcRat

Djvu Ransomware

Detect Vidar Stealer

Detects Windows executables referencing non-Windows User-Agents

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables Discord URL observed in first stage droppers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables containing artifacts associated with disabling Widnows Defender

Detects executables containing URLs to raw contents of a Github gist

Modifies Windows Firewall

Modifies Installed Components in the registry

Downloads MZ/PE file

Executes dropped EXE

Modifies file permissions

Windows security modification

Loads dropped DLL

Deletes itself

Checks computer location settings

Looks up external IP address via web service

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-07 02:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-07 02:59

Reported

2024-03-07 03:02

Platform

win7-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d03ea5d4-e539-4448-8664-d65c9af83172\\B107.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B107.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9AEA.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\9AEA.exe = "0" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d03ea5d4-e539-4448-8664-d65c9af83172\\B107.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\B107.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240307030120.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ggaujte N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ggaujte N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ggaujte N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ggaujte N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\9AEA.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ggaujte
PID 2360 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ggaujte
PID 2360 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ggaujte
PID 2360 wrote to memory of 2520 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ggaujte
PID 1144 wrote to memory of 2432 N/A N/A C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1144 wrote to memory of 2432 N/A N/A C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1144 wrote to memory of 2432 N/A N/A C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1144 wrote to memory of 2432 N/A N/A C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2432 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Windows\SysWOW64\icacls.exe
PID 2420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Windows\SysWOW64\icacls.exe
PID 2420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Windows\SysWOW64\icacls.exe
PID 2420 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Windows\SysWOW64\icacls.exe
PID 2420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2420 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 1744 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\Temp\B107.exe
PID 2120 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 2120 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 2120 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 2120 wrote to memory of 592 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 592 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe
PID 560 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 560 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 560 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 560 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe C:\Windows\SysWOW64\WerFault.exe
PID 2120 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
PID 2120 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
PID 2120 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
PID 2120 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\B107.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
PID 2348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
PID 2348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe
PID 2348 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe

"C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A3818EEB-2F67-490D-832B-698D71A791AB} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\ggaujte

C:\Users\Admin\AppData\Roaming\ggaujte

C:\Users\Admin\AppData\Local\Temp\B107.exe

C:\Users\Admin\AppData\Local\Temp\B107.exe

C:\Users\Admin\AppData\Local\Temp\B107.exe

C:\Users\Admin\AppData\Local\Temp\B107.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d03ea5d4-e539-4448-8664-d65c9af83172" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\B107.exe

"C:\Users\Admin\AppData\Local\Temp\B107.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B107.exe

"C:\Users\Admin\AppData\Local\Temp\B107.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe

"C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe"

C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe

"C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 1452

C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe

"C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe"

C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe

"C:\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\8400.exe

C:\Users\Admin\AppData\Local\Temp\8400.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 124

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\8B9F.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\9AEA.exe

C:\Users\Admin\AppData\Local\Temp\9AEA.exe

C:\Users\Admin\AppData\Local\Temp\A97B.exe

C:\Users\Admin\AppData\Local\Temp\A97B.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240307030120.log C:\Windows\Logs\CBS\CbsPersist_20240307030120.cab

C:\Users\Admin\AppData\Local\Temp\9AEA.exe

"C:\Users\Admin\AppData\Local\Temp\9AEA.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x514

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
PE 190.117.160.108:80 sdfjhuz.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
PE 190.117.160.108:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
UY 167.61.34.54:80 sajdfue.com tcp
UY 167.61.34.54:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
DE 88.99.127.167:9000 88.99.127.167 tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 loftproper.com udp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 95.101.143.18:80 apps.identrust.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dildefotokopi.com udp
TR 185.195.254.134:443 dildefotokopi.com tcp
TR 185.195.254.134:443 dildefotokopi.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
LU 31.216.145.5:443 mega.nz tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 62615014-e4d2-429b-be09-3330ba2fa808.uuid.realupdate.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

memory/1984-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1984-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/1984-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/1144-4-0x0000000002140000-0x0000000002156000-memory.dmp

memory/1984-5-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Roaming\ggaujte

MD5 6b08812a6837ef81f21ddd7dc04aadcb
SHA1 ef9acb2bd522fd21e7ee1bdfd1c6ac6522ee5952
SHA256 cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6
SHA512 51534f2963b483c91eca6bdd8aa04cd2441d9c24dc6da276c057c3137714510a4ddda9a25845890748887f096cc31889093c3389c8219e0a90911d166c2e3e7d

memory/2520-14-0x0000000002340000-0x0000000002440000-memory.dmp

memory/2520-15-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/1144-16-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/2520-19-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B107.exe

MD5 b4496d2224777403415440dfe5f13a86
SHA1 5c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256 d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA512 0bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158

memory/2432-26-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2432-27-0x0000000000230000-0x00000000002C2000-memory.dmp

memory/2420-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2432-31-0x00000000037C0000-0x00000000038DB000-memory.dmp

memory/2420-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2420-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2420-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2420-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1744-60-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/1744-61-0x0000000000340000-0x00000000003D2000-memory.dmp

memory/2120-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 2801de9920c6baea37c2489b87217d33
SHA1 c12fc198e96342f58d7a94306b361aafa7a05715
SHA256 7a38a893365733cf00d0ae05d1f4a4e23b343d034aa369602e12d6717495f679
SHA512 29762b08b24efc5d078f980c0055ff95c0668ba2912337d08aa00cc8fcdb15f20f87fb0d526a149a9f1f084d126189f1ca54fe3dd3b90b100b5ece3a5ab98732

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 285f2d7ac11b816c0b93dddd72f3f074
SHA1 70bfc113e962459afabde81294847754bf7ae540
SHA256 fa170ab755d01dd13745aa6c2bbc19a90b57ff0abf67574147a2389e97899939
SHA512 5c0148dd35a8a626d003269910b7ca283bd3619d658f968d04b268674f188e6f00ba5f26dc1f59847e02929770d70075546027fc5e1e2cff85ffb93c71b7797e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 c07b8918d69c84ec46746d67bb13882b
SHA1 573bf65977d8b835740353c9df50e27ed236c3cb
SHA256 9020a9a03876703b31f10286c161f0e63b8f45e0949591a8ff4ada02ad8b2b0d
SHA512 3c80d37d130eb02276eb92f20d7d237207d02e4db81807b6754ab1d120d7676ab7557a0bad77fcb7f4d243538894f42dfcd3dfbc47a4559fdca072bcf2b0c268

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a40854e3666f6b70c1d51090e809da79
SHA1 125ca6388974e07cee0a2cf1961f3cf3eed67018
SHA256 608274be4d04b052405ed19dd81191589580bfdde006ed47349006623a1fd528
SHA512 96a306567634a27fc649625503bc47d73a8be6814309551e5c0da2586dee70bb26fb615049f583bbc4fd64be7d83ac3dd2b30bd029b53f6cd3cbe9b7c48e97be

C:\Users\Admin\AppData\Local\Temp\CabC34F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2120-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-88-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2120-92-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build2.exe

MD5 d37b17fc3b9162060a60cd9c9f5f7e2c
SHA1 5bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA256 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA512 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea

memory/592-107-0x0000000002050000-0x0000000002150000-memory.dmp

memory/592-109-0x0000000000230000-0x0000000000262000-memory.dmp

memory/560-106-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/560-110-0x0000000000400000-0x0000000000645000-memory.dmp

memory/560-113-0x0000000000400000-0x0000000000645000-memory.dmp

memory/560-114-0x0000000000400000-0x0000000000645000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarE58F.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\TarE74A.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\AppData\Local\c760d36a-5b4b-40f2-aa46-8b54fdaa8b75\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2120-262-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2348-270-0x0000000000220000-0x0000000000224000-memory.dmp

memory/2348-269-0x00000000008D2000-0x00000000008E3000-memory.dmp

memory/2816-268-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2816-266-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2816-273-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2816-275-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2816-276-0x0000000000410000-0x0000000000477000-memory.dmp

memory/560-278-0x0000000000400000-0x0000000000645000-memory.dmp

memory/2328-288-0x0000000000940000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8400.exe

MD5 74cf066c5c492eb825b36550b1e38326
SHA1 8f211213fbd6905b5e44bf2af07e481832198a7f
SHA256 24201da166b3e59a7a2b79f24881222c41e35f26642dd757fcc51ec47c9404e4
SHA512 24ad3ebb70332741959b13be504ec2b3baee9668bb3a8e8ae314432ac2e084ad11c03f4abfba6f7557273cddb1b3d2e2361c71246f3fd7fccabae218dd8b2e91

memory/2396-301-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2396-305-0x0000000000930000-0x0000000001523000-memory.dmp

memory/2396-304-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2396-308-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2396-310-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2396-309-0x00000000774D0000-0x00000000774D1000-memory.dmp

memory/2396-357-0x00000000774D0000-0x00000000774D1000-memory.dmp

memory/2396-356-0x00000000774CF000-0x00000000774D0000-memory.dmp

memory/2396-378-0x00000000774CF000-0x00000000774D0000-memory.dmp

memory/2396-389-0x00000000774CF000-0x00000000774D0000-memory.dmp

memory/2396-415-0x00000000774CF000-0x00000000774D0000-memory.dmp

memory/2396-417-0x00000000774D0000-0x00000000774D1000-memory.dmp

memory/2396-422-0x00000000774CF000-0x00000000774D0000-memory.dmp

memory/2396-429-0x00000000774CF000-0x00000000774D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\8400.exe

MD5 52b3771dbbce31889417e6998ece0eff
SHA1 4f1cede4c6d9466afcb6535bf8a95dc413b47307
SHA256 f0295fce13d569822734997dc6978fdfee3d2d5f8bc4d799811b414161f4fb8b
SHA512 82c193a095f4533c38b4a6ca263f0686440b400cf1c39665d4ed42b56140a059b44927f064fe67f051c2bfb3158e116db63c5280a83f85425e03de52568ef88d

\Users\Admin\AppData\Local\Temp\8400.exe

MD5 ab9d7e76980389ff965ec48450dec3b2
SHA1 e57dcc457df70558c157359e148e3f8eed5e75ce
SHA256 de64653f0b9de1b5b785d673c11184e41369ae2e1d9461bc35323ebdd7ed066e
SHA512 0f691cc9f09303693899e7b5788cfc44360d4f8ebab4bf19ce5f98349d6d854931a5a555cc13617e34f5c49625ec0ce0cfcad0a5c79af1c92036eec43feef0bd

memory/2396-432-0x00000000003C0000-0x00000000003C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\8400.exe

MD5 8fc4b25ebdbc8c21a0f2ec2ce67b524d
SHA1 985f7e751116a82a60a1268beaa33313c2aa09c4
SHA256 0062cb5b16bc9000f88068923d06d1b8892d3eb5f951828688908ed2fec24ef4
SHA512 bc67115197e44f3532731e2c3b9d130b7768db1968dbfbe81ea1ea2fc40e54a90e2a8934e8a55ab63d73b5d446a53c8fc999d3da35dcb2b0eabfd825bee59efb

C:\Users\Admin\AppData\Local\Temp\8B9F.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2396-443-0x0000000000930000-0x0000000001523000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fbcb2263030fefb2e0709ec8e80c29f5
SHA1 f94c3db1ee468bc4857808206ea2a1d2da59add8
SHA256 820805d1e7d5aa90287991b4167755eaa079c8df840f5a32e5779bb97bfaf9b7
SHA512 29386e93517e28e6e41f9688dedcd62d9c06cfd22586530dfe68b8cd365ac6491496c3311a74334e8d7e811a3956b0c9837c36693fb36168400f06996d2be538

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07c8a5a45acffa02672f3dfd2d4bc209
SHA1 25d304cb84ff447de7d80c92b1e8512e97e439fd
SHA256 8a679531ad28dbeafda183c7ce982b540353dc668a8818e24a7f3c42fbbd8c4a
SHA512 bc6bf973fc339357adc230f56dd5d79681c11f455aa862298b5f9098c1db77d99467f36f9fc077b38517e4743f3313ecf8ec3cbab0e2defd92e75f2e00346abc

C:\Users\Admin\AppData\Local\Temp\9AEA.exe

MD5 1047d7617f162d488920965b0a8b876c
SHA1 059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA256 58b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512 698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac

\Users\Admin\AppData\Local\Temp\A97B.exe

MD5 f252a3dfd11f05e2314783081c0c4b5c
SHA1 d0ed1604fc16b02adfeec1ec793ea863fe2a4abc
SHA256 851f51b86f3b3ef32336319c96c96c52f2cd4e1b26fd2ec1766e8c52a33624a0
SHA512 f15a2bddf5ba66fb94d77e700c200d0d169fb83fe5dfae75ced66aa7abebaa7695853157a0f532786bfda72eb503c927fd9403dda6cd2e3177d43b84a6dfeaf6

C:\Users\Admin\AppData\Local\Temp\A97B.exe

MD5 8babbf946d6940eada5665365bf991a8
SHA1 6fed66e0d53ba25408f215ac93cc31d47686f9e7
SHA256 dec503a2ada818c3f62f5266223d0798f8be864b78069da5e9e6d5be96480fc8
SHA512 a2faee99ebb8cd1fe785ebba8fcd89f13914a4f8260997ab43f0cbbcf1182f0beed6f67aa54d902d0c1946b012183a6678378fb8ea154d26ac64c0cde38aad2a

memory/2240-537-0x0000000003BE0000-0x0000000003FD8000-memory.dmp

memory/2240-538-0x0000000003FE0000-0x00000000048CB000-memory.dmp

memory/2240-539-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1240-559-0x0000000003CB0000-0x00000000040A8000-memory.dmp

memory/1240-560-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1056-563-0x0000000003C10000-0x0000000004008000-memory.dmp

memory/1056-565-0x0000000000400000-0x00000000022EF000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 9dff555b1d58255f7e0832757c06b9df
SHA1 acc751850de6e59efb92dbd01fb5924c29225d2e
SHA256 527c55ff3e2df25f6b6e14db946cf22fcc8cefbbd46b62133c473f92750f3a49
SHA512 ffcdc62c51cc216c689517536319f781c4b013e3b40bb807d322751feabc90b19dfdc2411cce188cbb5cfa376e70825f492e6bd787353bbcd25f0108912fff23

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 a72b8d7d2a4c95bb95291333dad0f299
SHA1 340d4d5616108f8792a5dc6e5ffa9aaf76c17b30
SHA256 d124b8192df1fb8abc403345d7e449f7f4198a96112a8b3679dd91021c5343ae
SHA512 179afd00f8f6ba55d5620e9347bcb6b6d4928f14f814cacc7885fa80a21934fd29a66311a2f41f6d3c5ebe8484aaec3e53033782b53c229168631a04dfb7b2c5

memory/2888-572-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 2a1cb59786bb9ef9b0346b1088b4ff87
SHA1 609c3351ac97a0a18c6977f238b8d95b0a1146d4
SHA256 f7e146bfc1eb0b4d7b9c34828784ec949168888fec6ec92b702395766bca3359
SHA512 96c1a487b2a8facb49c2d63caa658d8d4652d79cada5eeb8dc9b956cb989c58d43bce1a09574262827f1f7ce8b1aef1cf6a65834242c42c6892f58c9b3f14d7f

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 e584d9ddc0b1a70f87a1293933d9a72b
SHA1 835402fced4c4677b85b8268e8c055706bd887d6
SHA256 6b3355da81521afd36bf54c23ddf0fc5ba21ffb6fa9ca44910f9597f0645494f
SHA512 f99c334bbc58578ba19e1053dbe5e3e3416259b0ef7e2bb126afaf22829448071a29fc731d49e86134f5788033fd63b365261fa1bede4ccf514f8aba3be2de35

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2888-586-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f63321f5f5d2b2f9d0be768d26806d0
SHA1 edff18216c1c35a7a218892c762d52f0a4f744d9
SHA256 04d7392e2490d7e9f33f78c48135b9b996ad331c127d1665468ac6ee343e8bb0
SHA512 4a1573654c2e6ad2790b65e7812985d527184eece19c17af8a2890af434cfc35327479beb049528ba41524ad252ec339c10f144afe2e019b8816dc76511608ea

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2324-644-0x0000000004310000-0x0000000004311000-memory.dmp

memory/1240-649-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1056-652-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2324-657-0x0000000004310000-0x0000000004311000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 1e0dc10583d56a7d52f474775f2e7f6d
SHA1 13bd4ef3d097a4f5ff603d81a1473eb4e7e47cf8
SHA256 8cce58bc29d929fcd68e8f149818482575eb14dd31546b49c3a7bd64c2b4f0e3
SHA512 d301a6c078bd0ac7fd8b7a519a90dd74ebabc59010f0c1d517f19b52fd36e30b2e4495300f6859c8c7a72e8e63777ab146173cee8f8bc3fb2ea826ecd585d733

memory/2036-664-0x0000000000332000-0x0000000000342000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-07 02:59

Reported

2024-03-07 03:02

Platform

win10v2004-20240226-en

Max time kernel

111s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\20B2.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\f096597c-4b64-48a9-83bc-064b7e4e91d5\\20B2.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\20B2.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1180 set thread context of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 set thread context of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3424 wrote to memory of 1180 N/A N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 3424 wrote to memory of 1180 N/A N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 3424 wrote to memory of 1180 N/A N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 1180 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 3648 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Windows\SysWOW64\icacls.exe
PID 3648 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Windows\SysWOW64\icacls.exe
PID 3648 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Windows\SysWOW64\icacls.exe
PID 3648 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 3648 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 3648 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 4192 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\20B2.exe C:\Users\Admin\AppData\Local\Temp\20B2.exe
PID 3424 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\F827.exe
PID 3424 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\F827.exe
PID 3424 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\F827.exe
PID 3424 wrote to memory of 1116 N/A N/A C:\Windows\system32\cmd.exe
PID 3424 wrote to memory of 1116 N/A N/A C:\Windows\system32\cmd.exe
PID 1116 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1116 wrote to memory of 868 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3424 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDE.exe
PID 3424 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDE.exe
PID 3424 wrote to memory of 400 N/A N/A C:\Users\Admin\AppData\Local\Temp\EDE.exe
PID 3424 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\2804.exe
PID 3424 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\2804.exe
PID 400 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\EDE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\EDE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 400 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\EDE.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe

"C:\Users\Admin\AppData\Local\Temp\cc28d7f2d6934af40e9f5ca9acc40179cd2688271ec778556aabfd2638a943e6.exe"

C:\Users\Admin\AppData\Local\Temp\20B2.exe

C:\Users\Admin\AppData\Local\Temp\20B2.exe

C:\Users\Admin\AppData\Local\Temp\20B2.exe

C:\Users\Admin\AppData\Local\Temp\20B2.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\f096597c-4b64-48a9-83bc-064b7e4e91d5" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\20B2.exe

"C:\Users\Admin\AppData\Local\Temp\20B2.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\20B2.exe

"C:\Users\Admin\AppData\Local\Temp\20B2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 220

C:\Users\Admin\AppData\Local\Temp\F827.exe

C:\Users\Admin\AppData\Local\Temp\F827.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FDA7.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\EDE.exe

C:\Users\Admin\AppData\Local\Temp\EDE.exe

C:\Users\Admin\AppData\Local\Temp\2804.exe

C:\Users\Admin\AppData\Local\Temp\2804.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\5976.exe

C:\Users\Admin\AppData\Local\Temp\5976.exe

C:\Users\Admin\AppData\Local\Temp\EDE.exe

"C:\Users\Admin\AppData\Local\Temp\EDE.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\D926.exe

C:\Users\Admin\AppData\Local\Temp\D926.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 70.174.106.193.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 187.134.61.6:80 sdfjhuz.com tcp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 6.61.134.187.in-addr.arpa udp
US 8.8.8.8:53 68.179.17.96.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 trypokemon.com udp
US 172.67.185.36:443 trypokemon.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 loftproper.com udp
US 172.67.148.138:443 loftproper.com tcp
US 8.8.8.8:53 36.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 138.148.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dildefotokopi.com udp
TR 185.195.254.134:443 dildefotokopi.com tcp
US 8.8.8.8:53 134.254.195.185.in-addr.arpa udp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
RU 193.106.174.70:80 trad-einmyus.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

memory/1608-1-0x0000000002110000-0x0000000002210000-memory.dmp

memory/1608-2-0x00000000020A0000-0x00000000020AB000-memory.dmp

memory/1608-3-0x0000000000400000-0x0000000001F00000-memory.dmp

memory/3424-4-0x0000000000A80000-0x0000000000A96000-memory.dmp

memory/1608-5-0x0000000000400000-0x0000000001F00000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\20B2.exe

MD5 b4496d2224777403415440dfe5f13a86
SHA1 5c175589db78cce01a9730eb85e2898bdafe2a5a
SHA256 d3d8cacad2d64836340d846fe35f30eb06a02131ff64c2fb0fa8071065058548
SHA512 0bc9d8844df1fc09815b6226186f095dfe2630b0070999a840a07e458b104d03b2fbb969a56e6d62756fc11e7eecc9d25c3cc4a9a2b7d58ba1d9de1cc60d9158

memory/1180-17-0x0000000003BF0000-0x0000000003C89000-memory.dmp

memory/1180-18-0x0000000003C90000-0x0000000003DAB000-memory.dmp

memory/3648-19-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3648-21-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3648-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3648-23-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3648-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4192-36-0x00000000021F0000-0x0000000002287000-memory.dmp

memory/3996-39-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3996-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3996-42-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F827.exe

MD5 f4c95e8b32a74bdbcd80c93303500a02
SHA1 5829be3e40b0acebacfbcff159fb45b276ade18d
SHA256 8c7203c100d21d8999b550842fa9781e7880a8f280b2e7e1a3f06d4dda1f445c
SHA512 57fc6efe23fa5cf22e591c93937ea56032b6dcef5a76d01008acdfc850bc4d68d301ee549979645da89e0d29b12a7fc5d059b0b2da1af94bce8e06c6f7a9c9ae

C:\Users\Admin\AppData\Local\Temp\F827.exe

MD5 64d4166bb79888a6ee896a501721bf07
SHA1 732272b92adfa014413ca5399f0ecd8468241f7b
SHA256 d5c75cd09e1cb7dd4719bd090d01a54495ead059414327add91beb2b1760c7d6
SHA512 9f77a869bc664a8189371d6ef28853a0b4ced424e5cfaca0884a53f7b4ada0c88c181487ccef4da73473ad1cb11ca78da2aa8e131fb772148e1e5a74b4c484d0

C:\Users\Admin\AppData\Local\Temp\FDA7.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/4244-55-0x0000000000170000-0x0000000000D63000-memory.dmp

memory/4244-54-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/4244-53-0x0000000001250000-0x0000000001251000-memory.dmp

memory/4244-56-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/4244-57-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/4244-58-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/4244-60-0x0000000000170000-0x0000000000D63000-memory.dmp

memory/4244-61-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

memory/4244-62-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/4244-59-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/4244-63-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/4244-64-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/4244-65-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/4244-66-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/4244-68-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/4244-67-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/4244-69-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/4244-70-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/4244-71-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

memory/4244-72-0x0000000002FB0000-0x0000000002FB1000-memory.dmp

memory/4244-74-0x0000000002FD0000-0x0000000002FD1000-memory.dmp

memory/4244-73-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/4244-75-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

memory/4244-77-0x0000000003000000-0x0000000003001000-memory.dmp

memory/4244-76-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

memory/4244-78-0x0000000003010000-0x0000000003011000-memory.dmp

memory/4244-79-0x0000000003020000-0x0000000003021000-memory.dmp

memory/4244-80-0x0000000003030000-0x0000000003031000-memory.dmp

memory/4244-83-0x00000000031D0000-0x0000000003210000-memory.dmp

memory/4244-85-0x0000000003040000-0x0000000003072000-memory.dmp

memory/4244-84-0x0000000003040000-0x0000000003072000-memory.dmp

memory/4244-87-0x0000000003040000-0x0000000003072000-memory.dmp

memory/4244-86-0x0000000003040000-0x0000000003072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDE.exe

MD5 1047d7617f162d488920965b0a8b876c
SHA1 059afd73ca2f9b7c358979a6f1cc99c5424281a2
SHA256 58b5bdc3cd4730734032dcc2dde7452889e6b6a12f3ae61e142df1121551859c
SHA512 698483dca1f3dc3a3056b041a7c70e1609d86dcc4dc9751b04a67810be19c999235372d1a07d5806459f51d513deab91524c6fccd83b554afc331914690b74ac

memory/400-93-0x0000000003F90000-0x0000000004397000-memory.dmp

memory/400-94-0x00000000043A0000-0x0000000004C8B000-memory.dmp

memory/400-95-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/4244-96-0x0000000000170000-0x0000000000D63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2804.exe

MD5 4735a3ac68ec42c1c11a9da4995c2180
SHA1 bae8992b04298bdbe4493a3bd4af7bd8ec21df14
SHA256 c9cfea7d0004b96ce180d794bfd0e5f2930e4ac8d0a417e785816c2205e45d4f
SHA512 787e3d7bf4c8119bbf4b091d704854106251fbb579d912533cdd7b7404a36adeee0d0cc2e912fe162c41f331824ab7e04eb6689db150844b72afd1b0f3af2abb

C:\Users\Admin\AppData\Local\Temp\2804.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/2144-102-0x0000000002450000-0x0000000002486000-memory.dmp

memory/400-101-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/2144-104-0x0000000074170000-0x0000000074920000-memory.dmp

memory/2144-103-0x0000000005040000-0x0000000005668000-memory.dmp

memory/2144-105-0x0000000002930000-0x0000000002940000-memory.dmp

memory/2144-106-0x0000000002930000-0x0000000002940000-memory.dmp

memory/2144-107-0x0000000004EF0000-0x0000000004F12000-memory.dmp

memory/2144-108-0x00000000056E0000-0x0000000005746000-memory.dmp

memory/2144-109-0x0000000005750000-0x00000000057B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bybfl1le.340.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2144-119-0x0000000005920000-0x0000000005C74000-memory.dmp

memory/2144-120-0x0000000005DB0000-0x0000000005DCE000-memory.dmp

memory/2144-121-0x00000000062D0000-0x000000000631C000-memory.dmp

memory/2144-122-0x0000000006DC0000-0x0000000006E04000-memory.dmp

memory/2144-123-0x0000000002930000-0x0000000002940000-memory.dmp

memory/2144-124-0x0000000006ED0000-0x0000000006F46000-memory.dmp

memory/2144-125-0x0000000007800000-0x0000000007E7A000-memory.dmp

memory/2144-126-0x0000000007180000-0x000000000719A000-memory.dmp

memory/2144-129-0x0000000007330000-0x0000000007362000-memory.dmp

memory/1636-127-0x00007FF6CE720000-0x00007FF6CF382000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5976.exe

MD5 41fd57cd82f051d417151de9a8a77ab3
SHA1 a6e3ad8645ee9985529c72111923a4331007c1d2
SHA256 838f373d47ca0d141d9140d3e1a8d3cf9a127d8a3b72eea2bbf81e2e397b5fb9
SHA512 002808d1922789c49dfc72bb4f1a689bda8af9f1031ec8debde8cac37a51a5fe5c38eeb42459a84cdf264e592189fec9b7fba389f55c68f50019e0d18dbe1a05

memory/2144-135-0x00000000704C0000-0x0000000070814000-memory.dmp

memory/2144-145-0x0000000007310000-0x000000000732E000-memory.dmp

memory/2144-134-0x000000007EFD0000-0x000000007EFE0000-memory.dmp

memory/956-146-0x0000000074170000-0x0000000074920000-memory.dmp

memory/2144-147-0x0000000007370000-0x0000000007413000-memory.dmp

memory/956-148-0x0000000000C20000-0x0000000001374000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5976.exe

MD5 ac071ac86725eed386b62923d6ef575c
SHA1 671c44aa53cfb7dac93b616c0ba100aadaf8960a
SHA256 e0798f8698f42ce4ea28790432187910834816a589bf73e72ab2eb5cf10cabb7
SHA512 4f91d406e9a9d0d38b9b601a8259b523a681dfad318e5f6ebd4b136ea42f945f3a940e4dba12e46351b9630717207040c6f064a4d7f43ea6712a7ec5af0c7dce

memory/2144-131-0x00000000749F0000-0x0000000074A3C000-memory.dmp

memory/956-149-0x0000000005C30000-0x0000000005CCC000-memory.dmp

memory/956-150-0x0000000005C10000-0x0000000005C20000-memory.dmp

memory/2144-151-0x0000000007460000-0x000000000746A000-memory.dmp

memory/2144-152-0x0000000007540000-0x00000000075D6000-memory.dmp

memory/2144-153-0x00000000074A0000-0x00000000074B1000-memory.dmp

memory/2144-154-0x00000000074E0000-0x00000000074EE000-memory.dmp

memory/2144-155-0x00000000074F0000-0x0000000007504000-memory.dmp

memory/2144-156-0x00000000075E0000-0x00000000075FA000-memory.dmp

memory/2144-157-0x0000000007530000-0x0000000007538000-memory.dmp

memory/2144-160-0x0000000074170000-0x0000000074920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EDE.exe

MD5 f0d232748eafdbd8b5785b8103608ccf
SHA1 4791b04755963ebfa65616a8ad12b9e38ad1ea0e
SHA256 1eeda2fcb2595e3d68ea8a5ff31f553630a2c80ca7fb77d3251adf34f244610b
SHA512 e1b63727162cb5d4910cc26306a52d5aae8d5f10280c4f9fe0aac57d0e8ed41ccf2462c935e3fa270467d7887fb12535c9db6861d972e024fe838fabbc61675a

memory/400-162-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1636-163-0x00007FF6CE720000-0x00007FF6CF382000-memory.dmp

memory/400-164-0x0000000003F90000-0x0000000004397000-memory.dmp

memory/400-167-0x00000000043A0000-0x0000000004C8B000-memory.dmp

memory/1912-168-0x0000000004190000-0x0000000004589000-memory.dmp

memory/1912-169-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1636-170-0x00007FF6CE720000-0x00007FF6CF382000-memory.dmp

memory/1912-171-0x0000000000400000-0x00000000022EF000-memory.dmp

memory/1232-173-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/1232-174-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/1232-172-0x0000000074170000-0x0000000074920000-memory.dmp

memory/1232-180-0x0000000005DF0000-0x0000000006144000-memory.dmp

memory/1232-186-0x0000000002E40000-0x0000000002E50000-memory.dmp

memory/1232-187-0x00000000749F0000-0x0000000074A3C000-memory.dmp

memory/1232-188-0x00000000709F0000-0x0000000070D44000-memory.dmp

memory/1232-198-0x0000000007610000-0x00000000076B3000-memory.dmp

memory/1636-202-0x00007FF6CE720000-0x00007FF6CF382000-memory.dmp

memory/1912-203-0x0000000000400000-0x00000000022EF000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8a52ee0c318f634098f62182691cac7f
SHA1 04c9d0e4ceb08ffa6e90bc8f5c8dd8a394ee85eb
SHA256 a1a001c1ca40eaa3a00cb5d39e94faf4e7a706cbc7bf535222776c0244b0633d
SHA512 e0c1b03c7bd6163f5f068043594d454c8e557b9ba57d0823d8d8175a1f2c4305315b6068b09d09d5fde4fe86601d007a177b4dcaaf0aeb7184ee171ae2e42be4

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/2604-229-0x0000000000400000-0x000000000046D000-memory.dmp

memory/2604-234-0x0000000000400000-0x000000000046D000-memory.dmp