Malware Analysis Report

2025-01-02 11:08

Sample ID 240311-chrweaaa6v
Target 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe
SHA256 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80
Tags
dcrat glupteba smokeloader pub1 backdoor discovery dropper evasion infostealer loader persistence rat trojan djvu socks5systemz botnet ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80

Threat Level: Known bad

The file 2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader pub1 backdoor discovery dropper evasion infostealer loader persistence rat trojan djvu socks5systemz botnet ransomware spyware stealer upx

Detected Djvu ransomware

Windows security bypass

DcRat

Djvu Ransomware

Glupteba

Glupteba payload

SmokeLoader

Socks5Systemz

Detect Socks5Systemz Payload

Detects executables containing artifacts associated with disabling Widnows Defender

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects executables containing URLs to raw contents of a Github gist

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects Windows executables referencing non-Windows User-Agents

Detects executables referencing many varying, potentially fake Windows User-Agents

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects executables (downlaoders) containing URLs to raw contents of a paste

Detects executables packed with VMProtect.

Detects executables Discord URL observed in first stage droppers

UPX dump on OEP (original entry point)

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Unexpected DNS network traffic destination

Drops startup file

UPX packed file

Loads dropped DLL

Modifies file permissions

Reads user/profile data of web browsers

Windows security modification

Checks installed software on the system

Modifies boot configuration data using bcdedit

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

NSIS installer

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-11 02:04

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-11 02:04

Reported

2024-03-11 02:07

Platform

win10v2004-20240226-en

Max time kernel

30s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6irhTGsiPKWfASUsb93L7aDx.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\coA3Xnx8JT5OL07A29dOVXuG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1mHuWi8cjnAZXsdd9cWRrcVz.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cgAwUuCakky44HLKdefSzHQX.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SoS8mlckjV3rEyFc3oM19cTZ.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2000 set thread context of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp N/A
N/A N/A C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe N/A
N/A N/A C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2000 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4480 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe
PID 4480 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe
PID 4480 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe
PID 4480 wrote to memory of 4136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe
PID 4480 wrote to memory of 4136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe
PID 4480 wrote to memory of 4136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe
PID 4136 wrote to memory of 656 N/A C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp
PID 4136 wrote to memory of 656 N/A C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp
PID 4136 wrote to memory of 656 N/A C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp
PID 656 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 656 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 656 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 656 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 656 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 656 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 4480 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe
PID 4480 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe
PID 4480 wrote to memory of 1640 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe
PID 1640 wrote to memory of 4640 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 4640 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 4640 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2712 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2712 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2712 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 1604 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\system32\cmd.exe
PID 3176 wrote to memory of 1604 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\system32\cmd.exe
PID 1604 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1604 wrote to memory of 4980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3176 wrote to memory of 5092 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 5092 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 5092 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2432 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2432 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 2432 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3176 wrote to memory of 1916 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\rss\csrss.exe
PID 3176 wrote to memory of 1916 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\rss\csrss.exe
PID 3176 wrote to memory of 1916 N/A C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe C:\Windows\rss\csrss.exe
PID 1916 wrote to memory of 3036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3036 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4480 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe
PID 4480 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe
PID 4480 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe
PID 5032 wrote to memory of 4608 N/A C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 5032 wrote to memory of 4608 N/A C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 5032 wrote to memory of 4608 N/A C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 1916 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 1948 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 3300 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe

"C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe

"C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe"

C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe

"C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe"

C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp" /SL5="$100062,1507995,56832,C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe"

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

"C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe" -i

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

"C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe" -s

C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe

"C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe

"C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1640 -ip 1640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 772

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3176 -ip 3176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3176 -s 860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe

"C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 galandskiyher5.com udp
DE 185.172.128.126:80 185.172.128.126 tcp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 namecloudvideo.org udp
US 15.204.49.148:80 15.204.49.148 tcp
US 8.8.8.8:53 net.geo.opera.com udp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.29.103:80 midnight.bestsup.su tcp
US 172.67.164.28:443 namecloudvideo.org tcp
US 141.98.235.153:80 galandskiyher5.com tcp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 148.49.204.15.in-addr.arpa udp
US 8.8.8.8:53 153.235.98.141.in-addr.arpa udp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 28.164.67.172.in-addr.arpa udp
US 8.8.8.8:53 112.182.26.185.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 shipbank.org udp
US 104.21.10.217:443 shipbank.org tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 7ecfc141-67e1-4dcd-9e8b-602e6a90a459.uuid.statstraffic.org udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp

Files

memory/4480-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4480-1-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/4480-2-0x0000000005790000-0x00000000057A0000-memory.dmp

C:\Users\Admin\Pictures\ulMc6a6A0bAcdBM090eo5JB1.exe

MD5 5b423612b36cde7f2745455c5dd82577
SHA1 0187c7c80743b44e9e0c193e993294e3b969cc3d
SHA256 e0840d2ea74a00dcc545d770b91d9d889e5a82c7bedf1b989e0a89db04685b09
SHA512 c26a1e7e96dbd178d961c630abd8e564ef69532f386fb198eb20119a88ecab2fe885d71ac0c90687c18910ce00c445f352a5e8fbf5328f3403964f7c7802414c

C:\Users\Admin\Pictures\WUAGGju0i3yPEjsoJcJMrxF0.exe

MD5 38783b735530ec3595f8cfc57704e0a4
SHA1 297d2424423506702a6f42fff06b37a89a9fc8e6
SHA256 95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512 980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f

C:\Users\Admin\Pictures\7Jloo403NPf7I4gPKDCa99AS.exe

MD5 384a85dc78e3a70405e6f43b1b4c3eff
SHA1 389edb8fe727154200b755f8630cc2e4f412ff7d
SHA256 05586a0378f018a7b737e8fba731ee382777205dba15d5ea97323aef32efd5c6
SHA512 bc8dd48b8881c94e49c777ca19190e338527681191052074c68819e48016b0c325cf62a748da7e610b8ad0b8ee6c5199634f25c6b5dc18631864bc6741444c36

memory/4136-40-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DA9JQ.tmp\7Jloo403NPf7I4gPKDCa99AS.tmp

MD5 4a607c9064c51c4d0a06ef4ccb3a2fde
SHA1 5f62f2f02c20ed2b5602faf5a846896439a6cb97
SHA256 47a5acb1426e2e182dfc78121d907b384c2d70306d4e20e0dcb690154aa9faa4
SHA512 9468f2d7bb7cc26cbca9aff55cf9250260b8a98d863c9eced303436d4f3ce2d2e5127a27dc2335df2661f909eb5994afad99b9a1f5c05674689e3d2febfb7e02

C:\Users\Admin\AppData\Local\Temp\is-P59UQ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/656-46-0x0000000002200000-0x0000000002201000-memory.dmp

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

MD5 bc08e67b94b11746f182cb0ba04bcadb
SHA1 dde094a51001a45bff038c60606b337c3e6cd29d
SHA256 552ea7ab33e15376011367ac58f528332e0ccc02c8b24af2631ba1e89412af11
SHA512 1eafb0a4d6f7c814d257617aee384322013e7131bc14c437855079f07b3f81dc07651994f78fe4a6a48ad22235c7f608841b59fda48dd31fff5b1e6ce7e13d11

memory/996-77-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/996-76-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/996-78-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/996-81-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2052-84-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/912-86-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/912-88-0x0000000000400000-0x0000000000437000-memory.dmp

memory/912-87-0x0000000000590000-0x000000000059B000-memory.dmp

memory/4480-89-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/4480-90-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/3448-91-0x00000000022E0000-0x00000000022F6000-memory.dmp

memory/912-92-0x0000000000400000-0x0000000000437000-memory.dmp

C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe

MD5 6d3ddbcc4f4e4ba1e68019a2a8e61a6c
SHA1 bc8dcacc5f39d305461562caf1f592f8fdfcf525
SHA256 3c4fc184f36fe129f7863829c5f2aa187056ab6d54f8ae190657feb2fd2d25d7
SHA512 cfd91c725fe05b76a3469de4617233b5c5e3cfa577ca452d29866661df6c10dd5f5f91a9547556a57adae20cf46b9192dfdb337eebc4c2f04b18d228dbdf4d4d

C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe

MD5 834f158cb7015bc5cf054462333771f1
SHA1 06cb38f0195fb4516be489372ff89ddbab51ef19
SHA256 14a40df737b124b13d770bd659cf025e85aa70beb8547085ebd19b412655d506
SHA512 1af08d3e2ab28804ba23905795729a71bc3eba3ba926ff25bf66eff1d71b48653308470881825537753932f6598d13050fbfa8785ba589785d5c421cf7dc3563

C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe

MD5 48e1c5da36289cc425fce9b0787ef9f1
SHA1 6802f075c91b4cb28a0019f5ebd06406d1e1484d
SHA256 0c0a23bf639c828b83b52dc3712d5a51c7bf16686ae4d23988edabee2223f430
SHA512 3f9532e8fdd4e46baf6bc5c52b2404c8631106029fd2b2b6b4f04e94326ea38c3475f3669197aeadc1a68686e6ffc664ca7213f48cc0282cdd5ca638562bb09f

memory/4136-106-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1640-107-0x0000000000FD0000-0x00000000013D6000-memory.dmp

memory/656-108-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1640-109-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/1640-110-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4640-111-0x0000000003280000-0x00000000032B6000-memory.dmp

memory/4640-117-0x0000000003300000-0x0000000003310000-memory.dmp

memory/2052-118-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/656-116-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4640-115-0x0000000003300000-0x0000000003310000-memory.dmp

memory/4640-114-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/4640-113-0x0000000005970000-0x0000000005F98000-memory.dmp

memory/4640-119-0x00000000060D0000-0x00000000060F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0vldbcgf.awr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4640-123-0x00000000061E0000-0x0000000006246000-memory.dmp

memory/4640-120-0x0000000006170000-0x00000000061D6000-memory.dmp

memory/4640-131-0x00000000063C0000-0x0000000006714000-memory.dmp

memory/4640-132-0x0000000006850000-0x000000000686E000-memory.dmp

memory/4640-133-0x00000000068C0000-0x000000000690C000-memory.dmp

memory/4640-134-0x00000000077F0000-0x0000000007834000-memory.dmp

memory/4640-135-0x0000000007B80000-0x0000000007BF6000-memory.dmp

memory/4640-137-0x0000000007C30000-0x0000000007C4A000-memory.dmp

memory/4640-136-0x0000000008280000-0x00000000088FA000-memory.dmp

memory/4640-152-0x0000000007E30000-0x0000000007E4E000-memory.dmp

memory/4640-155-0x0000000007F40000-0x0000000007F4A000-memory.dmp

memory/4640-154-0x0000000007E50000-0x0000000007EF3000-memory.dmp

memory/4640-153-0x0000000003300000-0x0000000003310000-memory.dmp

memory/4640-142-0x000000006EA40000-0x000000006ED94000-memory.dmp

memory/4640-141-0x000000006EDD0000-0x000000006EE1C000-memory.dmp

memory/4640-156-0x0000000008000000-0x0000000008096000-memory.dmp

memory/4640-140-0x000000007FC90000-0x000000007FCA0000-memory.dmp

memory/2052-138-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/4640-157-0x0000000007F60000-0x0000000007F71000-memory.dmp

memory/4640-139-0x0000000007DF0000-0x0000000007E22000-memory.dmp

memory/4640-158-0x0000000007FA0000-0x0000000007FAE000-memory.dmp

memory/4640-160-0x00000000080A0000-0x00000000080BA000-memory.dmp

memory/4640-161-0x0000000007FE0000-0x0000000007FE8000-memory.dmp

memory/4640-159-0x0000000007FB0000-0x0000000007FC4000-memory.dmp

memory/4640-164-0x0000000074830000-0x0000000074FE0000-memory.dmp

C:\Users\Admin\Pictures\IsGgrPfWzLiRLcI1GkALIqJd.exe

MD5 47051bd95ee81b33689e8d9a997868e3
SHA1 8420f1a99016eb42cf7aa9f10053713a2356e1fd
SHA256 48c90ba7fd07d53f0d02c78bdd4299d7408d0dc4ef34a90aca298b5e270cd0e7
SHA512 e6c26c437f7f1cc87ef8d5beea866bcf443fe06b243a1e1909036d7db4c11f85e7fbce0cad62f7e2551bb16970181a2c80e8b15abf9d5fe24f58017faee70a4e

memory/1640-166-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1640-167-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/3176-169-0x0000000000FB0000-0x00000000013B3000-memory.dmp

memory/3176-170-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2712-171-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2712-173-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2712-172-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2712-183-0x0000000005F80000-0x0000000005FCC000-memory.dmp

memory/2712-184-0x000000007F230000-0x000000007F240000-memory.dmp

memory/2712-186-0x000000006EA40000-0x000000006ED94000-memory.dmp

memory/2712-198-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2712-197-0x0000000007040000-0x00000000070E3000-memory.dmp

memory/2712-196-0x0000000004A90000-0x0000000004AA0000-memory.dmp

memory/2712-185-0x000000006EE30000-0x000000006EE7C000-memory.dmp

memory/2712-199-0x0000000007350000-0x0000000007361000-memory.dmp

memory/2712-200-0x00000000073A0000-0x00000000073B4000-memory.dmp

memory/2712-203-0x0000000074830000-0x0000000074FE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/5092-205-0x0000000074830000-0x0000000074FE0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5c855c93bc700485843fa70d354f6625
SHA1 890757e1af1d87f3a1f1f959b6c46a574d841125
SHA256 2ffa2196ffbb4bd62debd7ea81ff52796270a95bb5ad41aec32b0a62c5d99b52
SHA512 ce4e3c47bd1e53f9104e4b1cb038d64062021d8f5d398419cd2281d747389d08399780e37c0de83522722a44f14908399d8dbf40cce34f632a2df179b51a27ff

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f47d150047538b9acb484cb1051b5a98
SHA1 d5971ae1c5918a8917592608381faa13f309fb7f
SHA256 30caa3009e5211891fe7c20ef027792254d7d4d3357c5259e4a5f5677e7eb116
SHA512 e46d9c6b6f5d4a3d8b9a25b50122ce713e01266a02329abd6e978fbf22a18009f1c020e88a25ec3c1a92c26d2ad2e065831cb153b6e5d2e811cae0196f999d3c

C:\Windows\rss\csrss.exe

MD5 8bb391edaa934118785acab7cfd3ca44
SHA1 811ca7b8c0bb42d5acf64fdc94ad9967e1f54086
SHA256 e7fd006c3dc713f412bc66177e49cd851f5881d94a45bd41710a9800a4716539
SHA512 16c3cc8795b52b5d3a2891e8d53a8a27e34fa34f8fe6f8a9c456412f8242ebe091616e344b814be31f975e0bb2a9ddf4959b81c3a121fd728a4d288a27973d64

C:\Windows\rss\csrss.exe

MD5 4777f647bab1bfbf97d0a2c0114a297f
SHA1 58db98b5cca3f9fd244871bc8cf79c58d16fa6f5
SHA256 912de65d4895b7dab10c3e95e721e7de859bf408d90ef849ec84def4f86c798a
SHA512 3dddd72d76e3eeda7c059cbf8c48eec04451e0e733b0245df81910ae8a93aeaeabc89b8a9ef364b6e9f9a93a7b8bbf49a42807ff16b8ba239ba51e6466ab3930

memory/3176-269-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2052-273-0x0000000000400000-0x00000000005B9000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6533d07c61da90f9c5607b45c46ccbbe
SHA1 09943ed4f834c32bbedcd5b00bdeb39ea46e68d2
SHA256 17570b65f5843fbe9c0f5b2e67f8ac7d68cdf156b9b07aba9fc577916c9e543c
SHA512 b28e042770f44edea27d5f7bd454cc6f6f31febca98d0b4816898f2aa223b0752c5b3cec1a564b8a42c0516d97ed1ef1613e8e507eb81b3d27f9d675800eee4d

C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe

MD5 041b836221b2ab7a15973598c5818ac4
SHA1 67a1e1b29758d82b01ec9bdf9b0b2b6a81eb1040
SHA256 e749cf008ef068572ae939404d3b685a40a86f1804289bc2481a435021f7665e
SHA512 4954ea1c86991ba655d1ee9bd0af387c4418a99fa86acf20435d1e80af803d29e4c6669e6db1421895c8abcf0d9dc0c59b55af53b86744cec34a7fef09949841

C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe

MD5 834b668664f9e26697d6681ce2f8c0c4
SHA1 bf3aa5893da9d97d27cdc9a84e9e74e91dc22555
SHA256 4a7cf88f3d2fab9d689443a32a9b02867c707542f36ae57cb796e2e425d15560
SHA512 82a17da4b22afa2adcbd8e66ed8350e025ef40702ecf38de48348d162a793415160e4d892fa4c94e11e2a79e1d50e58e4fe3a8cbcda41f82f9620e19f6d5da7b

C:\Users\Admin\Pictures\TGXiSJLzcb5QPbsV5SG2Q1gF.exe

MD5 1276364611db8d4137baa58872f02ea9
SHA1 5dcc4fc2e7d577f859c0d1a4079c33be90953d57
SHA256 fc92270acbff28b305682daeee0fda487d9100f6665652acaabfe6c9c277807c
SHA512 6dd4704e41a92001dec1eb6a1d9b8dca5467429bbdeb2ca5e2259f5253c5b0060c5c6bf7df91d02e29f4d4286bef44661afcb4d0d795717a80e77261436238df

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 dba6db51ea13e585aee6136021836641
SHA1 591b41e2249cc40a9523680a2d1b162ba238c0d8
SHA256 6223c0847ecdb1f05b88fafe144aee708e65933e094c70016ea51f3d2b89bc81
SHA512 8201c37ada5306aebe6f87ce8967f1fc4c85a6105b5851ec0204a5538f54b9223637dadcfb64f81ab40b8c001c6ecaebdb90e62bf7734e41c4b540ca141b4f98

C:\Users\Admin\AppData\Local\Temp\nsm98E6.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bceff11e773c96c2f5f462ca3d2c88eb
SHA1 e26234866dbdb3ebb4fd608a664f986f38c5f6aa
SHA256 c94df1eb5b9f077f6402d0e824c2969950380377e3be5a0cc8e281bb6e029fbe
SHA512 c1ca0b58072f28d28663ccc98d17a9debfb6ea1eed10340563ec053bb5ad790983d7554aa5e4fbf338ba67271b570a549df6564623bf7293160f52965eb3c4c7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b1a0ac18d1959aa3f1756ef43d3e3d86
SHA1 63a2e6204ffa57fd555deb65021276e1542ff4f2
SHA256 b47f239904a0205039b73512c365c47487aeadd32846e9ce1e6b2901766545ee
SHA512 466455eef62f25cb6a7c9724b6a409dac3bbd7d1d284f528550cc5c54bcc97e3047e32d13ae4be32eacd447adf5da1cd3a78e2b9f48b1421dac860b72c502f36

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-11 02:04

Reported

2024-03-11 02:07

Platform

win7-20240221-en

Max time kernel

97s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YIRRWdnIpYd8unYMirHavugp.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I0KX09drahZ2FdkzlqegSnEd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SvlQGjIXLS432im7TnEnvEAN.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O1FD6jbnmm0u45czZPNWub4r.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BZfGNqZlCqH8uUi6p0WiuYe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CcJcMUt27LwTmVawNu6Xdysu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe N/A
N/A N/A C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe N/A
N/A N/A C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe N/A
N/A N/A C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe N/A
N/A N/A C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E09.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5E09.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\YIRRWdnIpYd8unYMirHavugp.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\1f4d7f25-42d4-46bd-83f4-9a73456d6e5c\\5E09.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5E09.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A bitbucket.org N/A N/A
N/A bitbucket.org N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240311020518.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe N/A
N/A N/A C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\syncUpd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2940 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2176 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe
PID 2176 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe
PID 2176 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe
PID 2176 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe
PID 2176 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe
PID 2176 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe
PID 2176 wrote to memory of 2848 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe
PID 2848 wrote to memory of 3032 N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp
PID 2848 wrote to memory of 3032 N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp
PID 2848 wrote to memory of 3032 N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp
PID 2848 wrote to memory of 3032 N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp
PID 2848 wrote to memory of 3032 N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp
PID 2848 wrote to memory of 3032 N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp
PID 2848 wrote to memory of 3032 N/A C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp
PID 3032 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 3032 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 3032 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 3032 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 3032 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 3032 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 3032 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 3032 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe
PID 2176 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe
PID 2176 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe
PID 2176 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe
PID 2176 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe
PID 332 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 332 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 332 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 332 wrote to memory of 2348 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\system32\wbem\WMIADAP.EXE
PID 2348 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2348 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2348 wrote to memory of 2284 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 332 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\rss\csrss.exe
PID 332 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\rss\csrss.exe
PID 332 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\rss\csrss.exe
PID 332 wrote to memory of 1964 N/A C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe C:\Windows\rss\csrss.exe
PID 1964 wrote to memory of 1796 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1964 wrote to memory of 1796 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1964 wrote to memory of 1796 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1964 wrote to memory of 1796 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2176 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe
PID 2176 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe
PID 2176 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe
PID 2176 wrote to memory of 2720 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe
PID 2176 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe
PID 2176 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe
PID 2176 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe
PID 2176 wrote to memory of 1512 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe
PID 1512 wrote to memory of 2084 N/A C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe
PID 1512 wrote to memory of 2084 N/A C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe

"C:\Users\Admin\AppData\Local\Temp\2a362d6d3bceaf1159bc245499a778f1ab9c229c3cbd4be4c63a582a716a4c80.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe

"C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe"

C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp" /SL5="$50164,1507995,56832,C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe"

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

"C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe" -i

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

"C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe" -s

C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

"C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311020518.log C:\Windows\Logs\CBS\CbsPersist_20240311020518.cab

C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

"C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe

"C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe"

C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe

"C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe"

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\wbem\WMIADAP.EXE

wmiadap.exe /F /T /R

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\FEAA.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\5E09.exe

C:\Users\Admin\AppData\Local\Temp\5E09.exe

C:\Users\Admin\AppData\Local\Temp\5E09.exe

C:\Users\Admin\AppData\Local\Temp\5E09.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\1f4d7f25-42d4-46bd-83f4-9a73456d6e5c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\5E09.exe

"C:\Users\Admin\AppData\Local\Temp\5E09.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5E09.exe

"C:\Users\Admin\AppData\Local\Temp\5E09.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\171f9991-a54b-44c0-ad96-fd53ab9f1aea\build2.exe

"C:\Users\Admin\AppData\Local\171f9991-a54b-44c0-ad96-fd53ab9f1aea\build2.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.169.89:443 yip.su tcp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 midnight.bestsup.su udp
US 8.8.8.8:53 namecloudvideo.org udp
US 8.8.8.8:53 net.geo.opera.com udp
US 15.204.49.148:80 15.204.49.148 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
NL 185.26.182.112:80 net.geo.opera.com tcp
US 104.21.65.148:443 namecloudvideo.org tcp
US 172.67.171.112:80 midnight.bestsup.su tcp
US 141.98.235.153:80 galandskiyher5.com tcp
NL 185.26.182.112:443 net.geo.opera.com tcp
US 8.8.8.8:53 shipbank.org udp
US 172.67.146.202:443 shipbank.org tcp
US 8.8.8.8:53 58d7be8c-d47c-4108-9c6e-c93c99b9a092.uuid.statstraffic.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 trad-einmyus.com udp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 187.134.61.6:80 sdfjhuz.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 172.67.139.220:443 tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 172.67.139.220:443 tcp
US 8.8.8.8:53 server3.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 sajdfue.com udp
US 8.8.8.8:53 stun.stunprotocol.org udp
MX 187.134.61.6:80 sdfjhuz.com tcp
SR 190.98.23.157:80 sajdfue.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
SR 190.98.23.157:80 sajdfue.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 tcp
US 141.98.235.153:80 trad-einmyus.com tcp
BG 185.82.216.104:443 server3.statstraffic.org tcp
BG 185.82.216.104:443 server3.statstraffic.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
SE 45.155.250.90:53 behwlfu.com udp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 8.8.8.8:53 bitbucket.org udp
AU 104.192.141.1:443 bitbucket.org tcp
AU 104.192.141.1:443 bitbucket.org tcp
US 141.98.235.153:80 trad-einmyus.com tcp
US 141.98.235.153:80 trad-einmyus.com tcp

Files

memory/2176-0-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2176-2-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2176-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2176-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2176-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2176-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2176-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2176-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2176-14-0x0000000074620000-0x0000000074D0E000-memory.dmp

memory/2176-15-0x00000000045F0000-0x0000000004630000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar1AC8.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe

MD5 384a85dc78e3a70405e6f43b1b4c3eff
SHA1 389edb8fe727154200b755f8630cc2e4f412ff7d
SHA256 05586a0378f018a7b737e8fba731ee382777205dba15d5ea97323aef32efd5c6
SHA512 bc8dd48b8881c94e49c777ca19190e338527681191052074c68819e48016b0c325cf62a748da7e610b8ad0b8ee6c5199634f25c6b5dc18631864bc6741444c36

C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe

MD5 c3ac6073b2ce09a0b81fe65edc26f4ab
SHA1 06262a48ce8afdf18a2417d4e2aa594ced1af715
SHA256 5ac103b301cb8a30942c4915d4605699f1bede42710c15ba4b8acfed2d251ca8
SHA512 fe7ce70f53c853668db667266dffbb1990311f08d228a90f4641291349990f3c60977847ed13ac8f2ff4eed363b066af1ee200114f0d8b8186c3f518916ee2a3

C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe

MD5 02006bc3a694265a51369bbb425bdc65
SHA1 4087ccb7d78266d17814f12ece47a5d45cfc3eae
SHA256 ae6e0fa9bc1b70f1089931640c6bcf89197124c6e353163382171a69be8fcc07
SHA512 bd7069e90116bc8a899486e84d057631f5f75c28d1afeed7897ca8f77cbb3892803b4a6683abc8335c387b470d6213d35cefe237aaf18291f312ff4455049375

memory/2848-86-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2848-89-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HM0D9.tmp\ShQxDCTWTNI0V0Xt4BheU4V8.tmp

MD5 4a607c9064c51c4d0a06ef4ccb3a2fde
SHA1 5f62f2f02c20ed2b5602faf5a846896439a6cb97
SHA256 47a5acb1426e2e182dfc78121d907b384c2d70306d4e20e0dcb690154aa9faa4
SHA512 9468f2d7bb7cc26cbca9aff55cf9250260b8a98d863c9eced303436d4f3ce2d2e5127a27dc2335df2661f909eb5994afad99b9a1f5c05674689e3d2febfb7e02

C:\Users\Admin\Pictures\ShQxDCTWTNI0V0Xt4BheU4V8.exe

MD5 7f52273359865f1c3e59937ec74a0330
SHA1 bd2ea23e525be0fbaaf1b382d0c5bcd027e70cc4
SHA256 b8923eda03e2a4f2f19b534520c7fbd868f94666b11add21da3921427c8d01c9
SHA512 f80d27bb41a4f627a021a4577c67aa3820b42ac51ab7de3999f326b0f402509c3edab39ae71d49a0a5581b0246e7ced1772a0026c8d68a11b3a8e5183dd86c80

\Users\Admin\AppData\Local\Temp\is-0S8H3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-0S8H3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3032-95-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

MD5 5e9c1e7701f31798ae4a3139d3aa95fe
SHA1 ce4cf61850a1531b431ad08627f0dff888393447
SHA256 8f791442415aa826db3f235d608e29f85806cd88abe8735754772ca1f26dfb35
SHA512 3417c0d2ea1fcd49f42ed824b7007e31e28fc86a7195f627c7bfa139b9bd39c3231dbd42c661b50f660e0bbfc2c77e1d25fdf1303dba24bab1a8b78cc47bd13c

memory/3032-129-0x00000000034F0000-0x00000000036A9000-memory.dmp

memory/2708-130-0x0000000000400000-0x00000000005B9000-memory.dmp

\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

MD5 37926e7f88300a496b453b48e5b2dcca
SHA1 2db6f21bdcd45a7d38dbb7d7f90d85b97fe7a5ac
SHA256 59ca01130fb3da9f85bbe57c0a11d26537e91ad8ef0753778d3d2a5b8e0498fd
SHA512 910acb85b389f63279c7e5a8c57e0257b9b9a6ef185c09c0ede9c9db3fcf7a8c136b2d6ff3f689171c88ae872b6c4d54191fbf40388a0eec7a19ba05d54c86e9

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

MD5 4706fe5ab8b20fc36b1ef86e4da3d53a
SHA1 d7064452e22969e69ec96732de74caa4777618bc
SHA256 dc8d268f195fa5709026ed00858b398c8e5598f993f4cfe0a0a20cdb0484f568
SHA512 cc97a31bb8b250143216062ccaf5d8192e20e89e2419988a8b718e5eae5e221af693c5dabb47be639da6290583b77fa8a768ca83f1906e4a2bfd55020cf01fd0

memory/2708-135-0x0000000000400000-0x00000000005B9000-memory.dmp

C:\Users\Admin\AppData\Local\Baby-Clock\babyclock32.exe

MD5 7edfdb5d685a2ba3fb7df8a03f14c2de
SHA1 e24c8d04cb3302c3e0653c4942a5dabb94e6c564
SHA256 53d0e3cfc59edabc7da8a30317275173880ff7a63ffe1f0eb483268c3dee916c
SHA512 135f909df0fb70b89f0b157252bc3b658e88a3967daf3f573c4fd7d13411ef0c168736640c91da321d45901cc5ac175c69bbb5ef3e220bbde41d762789ce53d8

memory/2832-137-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2708-134-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2708-131-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2832-139-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2176-140-0x0000000074620000-0x0000000074D0E000-memory.dmp

C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

MD5 94f5122a5a535486bb2652053b5d1616
SHA1 47578fee8dae220289b3393c3c234a9b59f4396b
SHA256 f91ab90c41bb771825f19f36a3a363468f48db70aa6012d9dc2ec771fdb437f7
SHA512 ae92b800faacc1866020bb95f41dfa13b73c0720592e98242a7786280dfedc0bbb54206712b48363d09a1619274baa0c8b0c4c3718047de8b50a7eb3d5dd0d0f

\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

MD5 3063543d615a8375bd66b69d56deee54
SHA1 acbed44f26f1d9e5aaae56365bbdedb2489741be
SHA256 81d9150730e6873c54f77627807da289e7d9b752916346f52e4a4cf9b083d7a3
SHA512 8dc61af708e57b7d02c7616f75bdd0bc4f7f20b4195c0e39248d69c5716b93d342f58bb4fb4f53c85f7041ef61e56fab31889b63073dd174b2c2aab716bd1ef4

C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

MD5 547164788362566501475b7e968c1520
SHA1 6ed32f320fe0b8e8afc51fc0c93c6d13945c908a
SHA256 dcc1442112e22392e434d85bec99b435a0e04358daefb30292b0ea9bd11eeaf2
SHA512 8e69057b197773aa2757f0b9aef46505bd410947fe9d79f130e9bfa7a81a3b0a97d233d0b39329c70276922db13edc930d6b8bb44f7921525ebd7e25ec03e4b4

\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

MD5 19eff2ae7b71787e9dea83fe6204a49a
SHA1 83c4cbe6e6d2e5564c288267b7e889fee54446dc
SHA256 08345d1bcea795b5d3200237a07a753be8826e8a66e4dc71fa27d4fae9d058e9
SHA512 8f939e44ddcd82381656d07a6b455a630b9819ae3cb8b9ed1cf6ed30057e9fbb15f2badb9acfc4ee6adf28c69085ab2a1119ff4f98ace58457904a5fd7865f26

memory/1228-214-0x0000000000F90000-0x0000000001388000-memory.dmp

memory/2176-215-0x00000000045F0000-0x0000000004630000-memory.dmp

memory/1228-216-0x0000000000F90000-0x0000000001388000-memory.dmp

memory/1228-217-0x0000000002AB0000-0x000000000339B000-memory.dmp

memory/1228-218-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

MD5 3605b20dcf8844c53711f473255f2988
SHA1 6482a80dc0637bebbd923edf221cd20039eb180a
SHA256 bf5f42cd3a983474521669b939a7095feaa423f2c9a046a47142159d3eb7286b
SHA512 b2ee73bd37602a247cc2a6dfd66391e22f108f2343c6d980899cd5f10be8b9f54d0cb6e2ff469131a2245e1d58c430db7d322967bbb06afbd51f29139b92406a

C:\Users\Admin\Pictures\YIRRWdnIpYd8unYMirHavugp.exe

MD5 589ac8d244643e93a89a099241fb969a
SHA1 6d0f43903f3f8f677fe66bdc8aa85efea3af8147
SHA256 5859dcbffe92efecd149add2ed101a677105d1fd0cc5c450daf9fb5424192571
SHA512 572aad22c972edeb64ae3981c59666068701a928afa6111a8e26f9d56a91d81b60d57f6a028c8adf47a39bd1cefa56e37b89150fe206c447bacf5e5bc381bd2f

memory/1228-221-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1228-222-0x0000000002AB0000-0x000000000339B000-memory.dmp

memory/2848-223-0x0000000000400000-0x0000000000414000-memory.dmp

memory/332-224-0x0000000000E10000-0x0000000001208000-memory.dmp

memory/3032-227-0x0000000000240000-0x0000000000241000-memory.dmp

memory/332-228-0x0000000000E10000-0x0000000001208000-memory.dmp

memory/3032-226-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/3032-230-0x00000000034F0000-0x00000000036A9000-memory.dmp

memory/332-229-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 2f43b939af0d63409fc8272361de7034
SHA1 c6d2ae28497a1ade5e0216b85899d3d9f0e6dd5e
SHA256 994284dc9a34fdf5fab2e927a49b62bcf2d0ee8d78b091ea3560d517a12fd5a6
SHA512 bd2b6d88887ee32c69e68374ce27410eb49639ea9041a237dc4893a12e92c8aaf7d1258a3b852cefc08608ecc7e4a2980e8cd00002db090bac1a077865493dd9

\Windows\rss\csrss.exe

MD5 1d00ceafd9fefb3826a4b6f2de597d00
SHA1 1df8552b4a12c6959d63cb9bdaa3a911474a2c16
SHA256 19aed36a80d0ff92fc80f252edd661c6882fde0abce6ba4cb16d1b229a02f7aa
SHA512 0d0a986aa22f96ef94e0f57da315158682a7936b4d3e0270146104190f39ccd905e8e8ff9b3a3426c2276303c78f9408fd41296541bd41813b98a25e18c8a27a

memory/332-238-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 0112773f91309f6ae3fdc3532b75bfe9
SHA1 e1e16c85b46623fe507c2dd4d819ea3996e42a58
SHA256 faa6748ad2f18759b78f2ba843fc87cd758387dbfa48cdf39f0282383eb7afe7
SHA512 768065c9088b96d0654f473573bbcfeecd5ec0e18f63a63f32f8c4b4efd65525e16d5883941bac5cf89351cbaabe37a0b817486f57c9d1557a4d34ef285960d9

memory/2832-240-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1964-241-0x0000000001000000-0x00000000013F8000-memory.dmp

memory/1964-242-0x0000000001000000-0x00000000013F8000-memory.dmp

memory/1964-243-0x0000000002B20000-0x000000000340B000-memory.dmp

memory/1964-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 945c3e364e620681ed69c725b915e9c6
SHA1 83e923146a693f5b61c120ce3fd2d0c2f15038bb
SHA256 fb376a6ba5852b77e439c50f24e3fdcb202c0db2aed7979ff2820359d3d3ff18
SHA512 2d482e8f469064facf60bf18e2534cb050f5b1b79977e2adc5b245f79d46c999a0639be7c09f253edd23a307425bfec4d138779c7bb05f351c339e869c9bae84

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bf09c5706f680da50a2ee9cc166a946c
SHA1 e021e2fe5ea541c15f449fcff0f639bd26d76e5b
SHA256 854de3c3e4c16bbbb4978fc3e2b31555978760b80d04cd9ca309f45302171f48
SHA512 913221a8f6c4569a0e7f1d8806d8cf4c39a1565a97b79e2d409b6142113edeb65ef7ab4563e39886ead222653db98a9f04dbc066938d70c8163d970ce596b2fc

memory/2572-265-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 dfdf78b4a3138c46a153d0a170c83888
SHA1 a480fd29dd09468d4d003cdd5486eaa8d3c0f34f
SHA256 48697aed59ae10f92ca8f60dfabe68f99444218adaa7eb731cb027c0976b15b6
SHA512 46b3514acf0a4baef77611049ab3aa9dd80f7df467cf0ea36b88cff0bb75da0268587aa40e8bbb01bcefb09e037602b17deaf4a60060e4541fb1fba1e5c1c3d1

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 4c8ccf65d3553a75d3f8ec851d0dc9d2
SHA1 03846a747412c1a8116d43a8e08d25a38e16b5d9
SHA256 9f6ed1984b6f43f9c9b3299588db66be9cc7452f16dc30a7d3d7e72e2869fa0f
SHA512 cf32c3225108417e680e596b2925cd2e55249e2a480d9e1b304268c974c701133a0483a6fa744e8749eda1261e532b37ee0c689800b24607e85e775078c51c7c

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bd76e372e38d73bd1f53cf21537c3c47
SHA1 ab689946b13f875b5b2aa4a2b4aea277d4a52790
SHA256 f5741a49172e2b31a9935448e7946eb8e44692ecd739c60eb71c9a863f3bfd81
SHA512 12c682b474c5d92a81e2efe202a93117fbcf622786f847dbe4f2f9b4b101baf249f29d8443d1c83586d957b7693a5943da15b96d0fbfdf4d0b5104cb9e0145d7

memory/2572-257-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 1a2d7a2075189abd362dc94273a6f88b
SHA1 dcc1feebabc6f59c0d8097282bfc053ec8ed0304
SHA256 22be3ecd496a59fbb3f092d22aed8a5bd46b3dea9894c50141e773edd12b04b4
SHA512 d19817b1a12058691d51426b5fbd2ebbfbd6bb5c109f298d3a76788c6b92ac8662f39f644dda6788b6d3451e36fe4f2894f8fbc0b056473285632fd355f97af2

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 de1b1200a3afd01e26dd19eac0e20751
SHA1 ed0b26247bf1dd77fc41be8a2da159e29027b431
SHA256 c03cc24109839a6f05e2e7e7c641212c9d7089b209dcc6db1bf0bf38123546c1
SHA512 39b9c73ab41da949f7479483a284016face02c4eaf9490ef116944de74833c85ae68db501790403a896b6e57e2adbdb01d92440f043dcbf8d3097d2fc62527c6

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 bf1c87d474ec995cda51cf7b541dd1c4
SHA1 2fa3b0b9d46167eb473955e7f3ecb83bc3f2ca3b
SHA256 599ed9b613f2e9681c8e72fab7f77e8d086c368d177f7be5dd57c77e993bdf58
SHA512 d8b42b89f142c92af1d0a7c36ac7209b3c95ec37349287cf9580bc286bec23978850c274a27805ca87dd4961ec0fceffe5fb936291df844c9ac69a526e47e13c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 74c672f43b877116a14238aa85e83152
SHA1 976d730aba16ed9d4089fe8297094bd497ef0f43
SHA256 6accbe4b6634eef5133de29d1cc052cbb5b18fd6791aaa1673031309978c2a47
SHA512 b7db6cf94cd12ebb90bb8087a6474bce37aa06ed97e026e3d5a1e8329fa0cbf38e688368cc713542c547cc24673379ad7d08adbbd9bf8ab8ff9bbf0118bf0503

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 1b98f54ed359f5d9eac1c1829cbde137
SHA1 604fd05857c88a23da9e5b95dfbf41fcb2736799
SHA256 36e37ca1f221213ec6713d780041b65a67377d3a12830ba44e90e6dd588014d6
SHA512 b4fd39705f4bef7686ed7a97a9743e8ea62b2eace674f04acc390943d485688c32625b7f0419e511c48eb19b36ac04676cfad59ef78b2e06b8457a80ee94854a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fa56337afa4a5e94e46e9453390832ab
SHA1 fb8df44076f499dddc3a34f2714a4ceacb5dd611
SHA256 69de0ac7c6cba9b16e68306c07ca69843415592f5914d92cc551638641fc89fb
SHA512 ec9a183ed916aaa0e8b7be1486fc85579a103d664f72f5a48868890e6c26f772a278c158e342fc16639eb0fe8c51b32875c086e5399b2f864b7c54f0156526fd

C:\Users\Admin\Pictures\qZw9gCkvY2cyu5RL6OUqAQxt.exe

MD5 38783b735530ec3595f8cfc57704e0a4
SHA1 297d2424423506702a6f42fff06b37a89a9fc8e6
SHA256 95d772adaee04f58f13c59ab65bcbefe9d6d6b2fc9b0f5fb6b4304902c5b2a8d
SHA512 980ff17ecdd36f1efbaced0b9599d4032eb4b27d5836c7d9d26828e478a75c73f4604bb568052aacc7519a54feb517efbf475e4d2610d8af6dbd4d6afb45fb4f

memory/1964-311-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2832-310-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/2720-314-0x0000000000400000-0x0000000000437000-memory.dmp

memory/2720-313-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2720-312-0x00000000004F0000-0x00000000005F0000-memory.dmp

memory/1964-318-0x0000000001000000-0x00000000013F8000-memory.dmp

memory/2720-320-0x0000000000400000-0x0000000000437000-memory.dmp

memory/1204-319-0x0000000002E00000-0x0000000002E16000-memory.dmp

C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe

MD5 be975acda811c79510c440175ed87eef
SHA1 29162fc97ec979b1fbc9c75b73da471ead6b8c7e
SHA256 c32e60ba4dff576f7c205d180e2048cc19ed4d01b05e16ab08ba1fffafe84a15
SHA512 359ae00d1613654bcd0cb77a017114bc8f7b864b5ad57ed80bcaf7d2a927f7612ee4249520682ab7fd20ffae459c5c369890f26a9ab50217dbd157c1e79af4c2

C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe

MD5 7ec7653aa4e6147088486c82b1f16948
SHA1 2fdb4fd9e3346a36cdd490bcd8a359732d5d8ba8
SHA256 9f619b515da8416a991f194ba93c66f6ee3dc7b7474488318390d77d976c5697
SHA512 84ffa6bb80f50e58801288c687be2c096053a141a7cc5d8c29f905db1995d44afe0218532606d18c094d34222fafc4a7fec1de7bf4e685ba043318a4f4b0da76

\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe

MD5 b1c2a96b55dd1a545bfeb578602d23e2
SHA1 d7bad5009b1ef34458aa6992e917150ea293a25d
SHA256 e97f1628dc82ae81a75ceeded34899dca252f263ba7056744fdf38d297fbdb96
SHA512 b3d8367e193b24641efd5ff88b74a2edbde93c0ef5b6a95218d741a307329e5b62b80ffdb124e0cc0fafc741c824c07c96e3a6e47f3b92b5b7c94497e892afb3

C:\Users\Admin\AppData\Local\Temp\syncUpd.exe

MD5 dba6db51ea13e585aee6136021836641
SHA1 591b41e2249cc40a9523680a2d1b162ba238c0d8
SHA256 6223c0847ecdb1f05b88fafe144aee708e65933e094c70016ea51f3d2b89bc81
SHA512 8201c37ada5306aebe6f87ce8967f1fc4c85a6105b5851ec0204a5538f54b9223637dadcfb64f81ab40b8c001c6ecaebdb90e62bf7734e41c4b540ca141b4f98

\Users\Admin\AppData\Local\Temp\nsy9CBE.tmp\INetC.dll

MD5 2b342079303895c50af8040a91f30f71
SHA1 b11335e1cb8356d9c337cb89fe81d669a69de17e
SHA256 2d5d89025911e2e273f90f393624be4819641dbee1606de792362e442e54612f
SHA512 550452dadc86ecd205f40668894116790a456fe46e9985d68093d36cf32abf00edecb5c56ff0287464a0e819db7b3cc53926037a116de6c651332a7cc8035d47

C:\Users\Admin\Pictures\Hvo54wQpTk2Zaartr75uv9kR.exe

MD5 8f8e00334f376dd2cf5ac5676d0dec07
SHA1 ed051c656e127b5c7e7902c4be091ac173d09c5a
SHA256 c8f8dca555de6f83fe35418e4bbf11867b5662e3547932aa20260e0b3b2dcd28
SHA512 f15ff0f48d9a57af07ad431e39b4a619a29fb8f4a12f1a2e0f711d122833a47e71366c6233b7b2b53eb3819ddcf812b0062d58050d3c61389fb688ea6fcf20e9

memory/2084-349-0x00000000001B0000-0x00000000001D7000-memory.dmp

memory/2084-350-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2084-348-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/1964-365-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2832-366-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/900-367-0x0000000000240000-0x0000000000241000-memory.dmp

memory/900-368-0x0000000000400000-0x0000000000930000-memory.dmp

memory/1964-369-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 39db1f048e59772b2e959f5ed3d81e93
SHA1 ece3f95d7d5b33ecafae60dc77d854d34e2f4717
SHA256 5c486747c989b2247cfcde48770a666b8ee7ad58d3219128f43e2501b50e21db
SHA512 96eeb6d29f67c6a75b46111fab8fbed71a31da18cb2ec3b871f795fd80b3a2185469e0598249adc029ba471a58cda49b76aa854cb9fb30e01b69117b9226ee7e

memory/1512-363-0x0000000000400000-0x0000000000459000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0e49af7d23e040f40122222fb30ef25a
SHA1 25b7537e1a8965fe0fe4838989b2850be6bfb115
SHA256 ebd87906c5e88f1c9a4e7737965e076b294fbb91ba7412a222279138530fe539
SHA512 91e6587afb940fb71f9fad1d0e10cb0e82a81ca739722da849cde0f6fc4bb027afed3b232168a0356dbda9efb4f0c317f618df54e0d60cdfb475e77048f5856b

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2084-378-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2832-385-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1964-386-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/900-387-0x0000000000400000-0x0000000000930000-memory.dmp

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/2084-399-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/2832-400-0x0000000000400000-0x00000000005B9000-memory.dmp

memory/1964-401-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/900-403-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FEAA.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/2084-416-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2832-450-0x00000000022C0000-0x0000000002364000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 bf207a5378b11e29266d26781dc53d18
SHA1 ba5784e8bc599a8a9632c04a205855d24eec3bda
SHA256 3b7a9c218f8b0a193a1da544bd60021610a95f5e892ddcb64bf8a0541f9552ed
SHA512 a35e37308b8f78b2b749d90310e97616ad4749cbf385680d1b46751b1f0737da9465112fa34ba360f99fdd3f9cd66b9753d6b7405c987fb1a66f960c2f63dbb3

memory/2604-478-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2604-484-0x0000000000500000-0x000000000061B000-memory.dmp

memory/2408-486-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 76febe1530e4d17de81250f66d5afcf1
SHA1 969ade56190ee78d3cd85be770f285ba5aaf1733
SHA256 0cd3e70297f5d3b9cc5ba1c1c94727be078242a65d30aa70d34323b93531fcb2
SHA512 2ca43af73ddb3bf8420580b15155c1e91741dad439dee0dad3ed21f8bc87136707b82236c689b195147c7db47dcd72adf6f859b7eb24cdb2ee66653239c820f1

\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 40de37394faae9b934cb13923b066c84
SHA1 9ea190d11ed21577c1a3e2a5501ff1da14caa7cb
SHA256 65df538d7aab69a3ddb77eb69130e87f4f5ad05a80e53f6774053cb0fc4b9c12
SHA512 9528a69c91a36a28372f3bfba3c6338e66d678b259adbc81f7471755381a5f712980cc51e1d0234513305401444b253a5fa992197ba9c053eb966149a9cef190

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f6ad8f254c04e8002169f0f20335013
SHA1 dd3be2cf2c4cae0b67571a3013f72432a42a00c1
SHA256 41528ec262e1bd02c25b5dfe010c6ad8a3d8c5b2e2e12e46594472c29c14b649
SHA512 39bdf1927cf1a3251a0381fe227dbea7ebf7c5df0b19c73f55409d943a9579bc398c6d66ea74c0a39ad027754210623d0a0befbea123dc47a0e98a1e8d9ac5b9

\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 5f1ec9a01c2f34e4611bb0fce047c429
SHA1 5f2d37543e9acda83991f9c457bbe3e9d6956c86
SHA256 36489062743c784cd576d08c03aa6baebcf6dc7e940c15ac26aeda07767406f3
SHA512 11ac3f8a3a51262e31800cb36351f4232a550d58efa942dae5535f36da80f07a84096bb5e279e0628dd5279b1913a5ac967cecff4a2bf160f6184e709fe16076

\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 5229726473f703e157d62571324d3296
SHA1 a9e757bc28b767d51ca871e3f50f9168e724323c
SHA256 5ad4205bda8a12489094c80009a315332c9f35d0de10be60499c3a9aa3b8a512
SHA512 a6d75afba99fbf7a0579a34e06e21ca802fd66436232fd8ebdcd826d6e2f53da0697cd096d00e372ed9ad7c2e01dc546b6d81b85233a1f5cfd4d92af82cdc41a

memory/1548-516-0x0000000000310000-0x00000000003A1000-memory.dmp

memory/1548-517-0x0000000001E70000-0x0000000001F8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 714de3eeaf2eb51505d875fed4424108
SHA1 44dee5510ca077d74456787a69b8a7912fe07df8
SHA256 976b43cc3626d59c82c96fc97b693a8112078e3d75100dcd02482446d49cd65c
SHA512 4f4fa886b814b52929946824c397874d4ea098ee9b36556df373ecc205cd4674139cf6f96f4b3d30754edd49319c70d8d825c7ef69e25f9cde0e1067506ff2df

memory/344-525-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2832-515-0x00000000022C0000-0x0000000002364000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 600e477d327c657c45d4323ec0ea0c4e
SHA1 c14779f223d5f34b9b5f4f4b794b70c4a8f0edbc
SHA256 ae9e3f28e8dd7aa705edb0a8379b4cd551b347defc16be2e416cd7ddcb6a62e4
SHA512 ec9ed8640562ac54e614a242feec69c3775f0b4a8ff032fc92059ad8d3b37d705eea394426c29ac953c5144b6488c827d645dcf3b24efe3aeb73526f9c51dd41

\Users\Admin\AppData\Local\Temp\5E09.exe

MD5 79914efa2dbd04bd5d101c64b4be87c7
SHA1 4b94d7f486f81807f40ebfba9def4f29f72ee262
SHA256 32f057dde65317d444fec16887556ec1a855a4be6cca91c3bc4f80891f42bfdc
SHA512 215207be6eaea4527c4cc847c43de2fc2f55696d5dd62f9d9cc512f1de166da5e5d8a32f103261b60c400d3b5caf33305c9ac1ae6727be61418bba269f174967

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 60d36fe902909f5cd31034a273c20597
SHA1 7e16b8136c9bf6f7f2ee68759da534c078389757
SHA256 b0fec153cb22199918904412ec25f96cb1daac0c72403009475b8763f5f156bc
SHA512 ab3713ebb07d63371b76e83efb6b7c78e88079124dff1ab0e8267bc508a55285b107a1465695c77b6a23ee16b22c512503a06c8528e0bb2a11745ca2819de452

C:\Users\Admin\AppData\Local\171f9991-a54b-44c0-ad96-fd53ab9f1aea\build2.exe

MD5 d37b17fc3b9162060a60cd9c9f5f7e2c
SHA1 5bcd761db5662cebdb06f372d8cb731a9b98d1c5
SHA256 36826a94f7aabd1f0d71abc6850e64a499768bd30cab361e8724d546e495e35f
SHA512 04b0fcc597afba17b8be46eacee58c7e8d38c7efa9247ab5b3cbf1ae3ed8dc2e6e909b7dab28b2a41f08fb37e950abb6ca97553adf0e20335c6864d942bef6ea