Malware Analysis Report

2025-01-02 11:19

Sample ID 240318-fnfbcahe7y
Target a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669
SHA256 a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669
Tags
dcrat djvu glupteba smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma stealc zgrat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669

Threat Level: Known bad

The file a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669 was found to be: Known bad.

Malicious Activity Summary

dcrat djvu glupteba smokeloader vidar 82df9629d6ef6fc7fe54d6eb2bc6137b pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat stealer trojan lumma stealc zgrat spyware

Glupteba

Lumma Stealer

Stealc

Detect ZGRat V1

Detect Vidar Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

DcRat

Detected Djvu ransomware

Glupteba payload

Windows security bypass

ZGRat

Vidar

Djvu Ransomware

SmokeLoader

Downloads MZ/PE file

Modifies Windows Firewall

Modifies Installed Components in the registry

Reads data files stored by FTP clients

Windows security modification

Executes dropped EXE

Deletes itself

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Drops startup file

Enumerates connected drives

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies system certificate store

Modifies data under HKEY_USERS

Enumerates processes with tasklist

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Runs ping.exe

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Checks processor information in registry

Checks SCSI registry key(s)

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-18 05:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-18 05:00

Reported

2024-03-18 05:06

Platform

win7-20240221-en

Max time kernel

302s

Max time network

307s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94aa767c-f57b-4fc6-8a4d-55f687a3c830\\FAB.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FAB.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BF.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BF.exe = "0" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\94aa767c-f57b-4fc6-8a4d-55f687a3c830\\FAB.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FAB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\BF.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico C:\Windows\explorer.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240318050408.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\BF.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\BF.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\BF.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\cmd.exe
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\cmd.exe
PID 2712 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2712 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2712 wrote to memory of 2692 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1204 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1204 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1204 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1204 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2844 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 1996 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Windows\SysWOW64\icacls.exe
PID 1780 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1780 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1780 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1780 wrote to memory of 1788 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 1788 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\Temp\FAB.exe
PID 2492 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2492 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2492 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2492 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2928 wrote to memory of 944 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe
PID 2492 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 2492 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 2492 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 2492 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\FAB.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 1776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 1776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 1776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 1776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe
PID 1776 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe

"C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\AC46.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\FAB.exe

C:\Users\Admin\AppData\Local\Temp\FAB.exe

C:\Users\Admin\AppData\Local\Temp\FAB.exe

C:\Users\Admin\AppData\Local\Temp\FAB.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\94aa767c-f57b-4fc6-8a4d-55f687a3c830" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\FAB.exe

"C:\Users\Admin\AppData\Local\Temp\FAB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FAB.exe

"C:\Users\Admin\AppData\Local\Temp\FAB.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe

"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe"

C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe

"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe"

C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe

"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 944 -s 1424

C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe

"C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe"

C:\Users\Admin\AppData\Local\Temp\35E1.exe

C:\Users\Admin\AppData\Local\Temp\35E1.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\3CC5.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\7C55.exe

C:\Users\Admin\AppData\Local\Temp\7C55.exe

C:\Users\Admin\AppData\Local\Temp\BF.exe

C:\Users\Admin\AppData\Local\Temp\BF.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2128 -s 124

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x58c

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240318050408.log C:\Windows\Logs\CBS\CbsPersist_20240318050408.cab

C:\Users\Admin\AppData\Local\Temp\BF.exe

"C:\Users\Admin\AppData\Local\Temp\BF.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 sdfjhuz.com udp
AR 181.99.122.153:80 sdfjhuz.com tcp
US 8.8.8.8:53 www.uniqueweb.co.za udp
ZA 41.76.110.156:443 www.uniqueweb.co.za tcp
ZA 41.76.110.156:443 www.uniqueweb.co.za tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 104.21.65.24:443 api.2ip.ua tcp
AR 181.99.122.153:80 sdfjhuz.com tcp
US 8.8.8.8:53 sajdfue.com udp
AR 190.224.203.37:80 sajdfue.com tcp
AR 190.224.203.37:80 sajdfue.com tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 23.214.154.77:443 steamcommunity.com tcp
DE 167.235.207.130:80 167.235.207.130 tcp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
NL 195.20.16.82:443 tcp
NL 195.20.16.82:443 tcp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 triedchicken.net udp
US 104.21.91.214:443 triedchicken.net tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 carthewasher.net udp
US 172.67.161.113:443 carthewasher.net tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 204.79.197.219:443 msdl.microsoft.com tcp

Files

memory/1736-1-0x00000000005A0000-0x00000000006A0000-memory.dmp

memory/1736-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1736-3-0x0000000000400000-0x0000000000477000-memory.dmp

memory/1204-4-0x00000000039F0000-0x0000000003A06000-memory.dmp

memory/1736-5-0x0000000000400000-0x0000000000477000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC46.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\FAB.exe

MD5 9afae1e5aaf1ffd9a39aef0bfc360f1c
SHA1 25412f0e7aa8fa4584bfbfef5dee0746a07a0f4d
SHA256 b90d1767ecd240187bf3814f38b22a6254f72b89d046c99c9f1a6b7aa6a5d4f5
SHA512 44c1a4c2e17f067db01827432660328c2fa2536d31561594f7711c29999074ef39e1b98edeb268574921c52a11d081dbb9368e579ea2155756c4e4cf53e57761

memory/2844-26-0x0000000000500000-0x0000000000592000-memory.dmp

memory/2844-28-0x0000000001E80000-0x0000000001F9B000-memory.dmp

memory/2844-27-0x0000000000500000-0x0000000000592000-memory.dmp

memory/1780-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1780-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1780-36-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1780-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1780-58-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1788-60-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/1788-61-0x00000000002F0000-0x0000000000382000-memory.dmp

memory/2492-68-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-69-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0fb83292a6190a38b8b44f50fd97f709
SHA1 1b8c217779da5dfa37e72b79e6b5bfbba505896a
SHA256 5e8bda4df54e2c095a153bad4c526516a92ff45b7513b92f8827414e49458fa3
SHA512 68e4e0aeec5d5dfc6fe7d7b1913614df0af02c6e410d5a020fa8e059f8e2a78eaddee06603f847b132806d5da8214da85917e775b1fe3ad602a4bde84dcd4e7a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 30e368f8801f641c0643e3e8ed13e6cf
SHA1 c8c1f507fe61e9c6765295d5257a32035134028b
SHA256 78b36c0768c634396635e73f1cc47415f3fcc9a223131f1d801c0fb4bc840f3e
SHA512 6873c135a320f9caf90748cd90d684605322a798407b28cf63506881d52bd67bb6334f7d961616c4059a188ae3617648f84d8d7d4ca30663cd32b8c1fc3edb57

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 70857a52684aed0daca38f0fee0282c8
SHA1 4d2e664c6dae3908a2f7baa780d35d8e0c36a010
SHA256 9d922fa24a57b9419804dd8ecf7ed8cacaa2fe523d5e6368f8d552972f5d5a16
SHA512 8dcb89ee31204f664d2dc3982e24f2e8099106cd5b5f351502adc7a6159131e16f0c1fc53c9ced3eaf59298f569ee5fcdda67778a496e3772ebf0f1743873bf5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7ee53bc6e7586744d28a22440282643f
SHA1 b8a703f0bd90316b208ee5ae9f342f593518ac03
SHA256 58f79db18a49e33a1e82ca525ba3b49c1a1d2584898b199006ae69ccb263bffb
SHA512 77efb68a4d2ec36afc38bfa7de52680125d5f9d180c3c73272addfe9b1f952d80b53fcf66ac5ff62c0145381fc2cec19f85f3f5de343f9c3c781f3e4d88430f0

C:\Users\Admin\AppData\Local\Temp\Cab3B9A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2492-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-87-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-90-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-89-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build2.exe

MD5 47704f454af8641dac1af2e2768d7881
SHA1 e3341bfdec84f69684aecde18cab2864519c7728
SHA256 a6a9375dd6e3b285bc6d65536a151a47dd136aced8180492f5ed6a391edf0d64
SHA512 9aea598ee30342a88fedf5eca2b104e8c5587cd284bd43229581b04497c60e6a71e5392a171a5dfbe88a2e41269434922e21c3f7f9682e2ea10b27b104606b25

memory/944-105-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2928-104-0x0000000000800000-0x0000000000900000-memory.dmp

memory/2928-107-0x0000000000230000-0x0000000000261000-memory.dmp

memory/944-108-0x0000000000400000-0x0000000000644000-memory.dmp

memory/944-111-0x0000000000400000-0x0000000000644000-memory.dmp

memory/944-112-0x0000000000400000-0x0000000000644000-memory.dmp

memory/2492-113-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2492-124-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\33b0ff83-bafa-40af-9c9a-832a3bb7f209\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\Tar59F4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar5C6A.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

memory/1776-184-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1776-182-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/1600-181-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1600-185-0x0000000000400000-0x0000000000406000-memory.dmp

memory/944-192-0x0000000000400000-0x0000000000644000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\35E1.exe

MD5 00d3d15bddcdcb12d2b3415635a3778b
SHA1 6d07775acd0435589ed3c0e2563b063c19cb706b
SHA256 2c0ac289c78b3438d6662555818a2a159baff4d9d447fcb4ed15517fcad7b251
SHA512 318d901e4310cd3bd8361bbd341311005d05b57591c35d74eab5553f8d0f8479d664b27f2f606f013a40b46f7e0d09e8564f9cff1b7bc76853b77d4a508249f1

memory/2128-214-0x00000000002F0000-0x0000000000FD5000-memory.dmp

memory/2128-227-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2128-230-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2128-234-0x00000000002F0000-0x0000000000FD5000-memory.dmp

memory/2128-233-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2128-237-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2128-232-0x0000000000080000-0x0000000000081000-memory.dmp

\Users\Admin\AppData\Local\Temp\7C55.exe

MD5 c00114cd21c605efb9f433a0a026d92d
SHA1 91266036843eb217edba0ab5728a1ea4e0577597
SHA256 1fc7c3d55e038721889650c9cdf34b34a302892586756d2f2e4d8b3b9d1ecc9f
SHA512 b98bd8ac8cd00cc574b61d96cebf0937796d880505567e63d11febaa1dcbceade0a725ab8051c5581a7922f7e37a71147e002c8e181fdc9da641e28ae6246a46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2dbcde154784dd29a071ebe70f215400
SHA1 1d9d7206c102a66b93b4a092bb35fcdaa9bdbf97
SHA256 3cdf2e044ed45e7192e280a81bd8b331926ebc71fe579e1a5e97abf1aaae423a
SHA512 b2f5d428d82ded18d0cbd1396486c3bba5dee10d71e936450bac78827962f66a6cec4e1c9a3d638602422de8f59a70c43402da6ddf33b6438e56e3b0568a48f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18f342db7bf388a61d2438eef33779d7
SHA1 70b44d8a0f8abb9a51c97d4fe7c0ecadd80a968d
SHA256 9ea1f07776b717ca54e5cfa26cecea828f9bed9cc308374a75ce53a14f517048
SHA512 1f1d5e0682661903e8e8fe7f8c3687d16f2787e2c24159ad96c03a95985e2306b6725f63558b91cb22c74271579edace41396dc727ee0bdec268d2ef6440aa3d

C:\Users\Admin\AppData\Local\Temp\BF.exe

MD5 18451e629b555a1792e7033e81d7e170
SHA1 2567dc75290f6854d7670bb0f0db2c034ea88666
SHA256 35c5391e67f45c635d47a12264d279180003f0d2378dc03de7c268b98ef88df1
SHA512 bcb8fcd0bd5e0d1e304a5b1a7f33ebe2d36a7cfefd321a3f188befddbb2252abac2050b8be2374f66df59acf98480032a51e835b313c246acd5578e250f2f517

memory/2052-356-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/2052-357-0x0000000002A40000-0x000000000332B000-memory.dmp

memory/2052-358-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2128-360-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\35E1.exe

MD5 77852c53759b2c953027cab542ec51e9
SHA1 c3d8d36d99e5178897e61103002d43edf56fb9a8
SHA256 a5d1dcdc1e4aab187913489fc2a997397b8ba7e2a26ff91f969d64fa90902088
SHA512 cdda4e690ae2ef99093037218032145aea3cf6b67d32008f46bd9d8a58248e64aed8947506751356e9861eb0c6d9d78d230acf8d2d0bdf32937f1ac5a7c00986

\Users\Admin\AppData\Local\Temp\35E1.exe

MD5 9e52aa572f0afc888c098db4c0f687ff
SHA1 ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA256 4a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512 d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62

\Users\Admin\AppData\Local\Temp\35E1.exe

MD5 21259b589c498c73ff64f3f52e5f0f1f
SHA1 2849e84ae9d4628edb919a441cb8d723121f0733
SHA256 552b3752553666bfab557271659ff11968fbffa72130b12ab21d51f9212b8263
SHA512 964396160a4b1d8fbf2d8450dedce059118ff58a9d13741572748a924425e8d17d75a080656790ffd8f247e95284d956d3b3ce482fcbe344e87905fe6cd78027

C:\Users\Admin\AppData\Local\Temp\BF.exe

MD5 1cfc57f78aa40c737bc85f48b4e8c68e
SHA1 60379d9bfb7205b24aa3faa7e5e2305a34c2c43e
SHA256 fb16a0642b4ad6a192ffd053f7511edf9827c665289e1ac9ac0ee99dcc327656
SHA512 c81ebdeebb0303df2b1a6c8838c4b471a8a69922eae116fc6ed6f74ce6acf5783363eb87c4ce3d2657f4ba08916fc3151a9de55e4dd52fb65ed03d5c471e29d8

memory/2052-369-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2428-384-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2428-385-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1212-387-0x0000000004270000-0x0000000004271000-memory.dmp

\Windows\rss\csrss.exe

MD5 363510f38e2a03ca1560f18a41632df8
SHA1 571fb78ec53495025b305c19a058bcbf2560759b
SHA256 8255d70d31ee91d3fe39d2afad4ae91cb4c1194080e15812d0c3ec07e464d969
SHA512 384cc1a6a28dfe06ea5ad41090f940fc829eb7c6f865963dba615b09eccb3bb967b1a240a192968b67b578e5a97a6d70dc01b0be6ae1305bbdc11b125fff43b8

C:\Windows\rss\csrss.exe

MD5 0007c87c3be80582157c775489efea2e
SHA1 101fbf91e85a8f3eb2550d42e90bb66562cb30b7
SHA256 4f5841784853d08f39c563fd51202c9067e2a0bcd647c2e5d41e8ce541ee98f9
SHA512 8d46f0da5a8274a2f46396dfe8afb69e5dbb16d3a15733ef0ac1dc803ff90263888bbfc53df8d609ec076625cc4ed86e870edfcd5ff8424f8dd33ad0416c29b1

\Windows\rss\csrss.exe

MD5 1cd5c9a7b01911b28b167987c9e822b2
SHA1 c999d26b1f7a5f97cb2aac9a88bdfb5fa6478c0e
SHA256 b47f1783fc2d793d1ed6e8b0d5b4d0802e5c658228c4ea125f37e8054936f9be
SHA512 fe90b1dd096c51c375b5e9878c3371d08a0b10dc90c9614c4634f5b54bdf7a37f69ebce7d5c846037695104d1d47cff64d73cf34bb9a2fff9c090d38c8a743fb

memory/2428-397-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2372-400-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/2372-401-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 1447669070e9338158bd188954477739
SHA1 03c7da5d50dd1439b57f9335e1b07c3fb85b6494
SHA256 4a449d206777534b5f5169a3686e2f414da0e2bf9fc358b79566053c691f28da
SHA512 9790c42ecca69995e727e30cd870603cbc24e6e0a4009245eeed52caaa11ec34e8938d5408b7fea441bbfe818e95a4d9a86c755e68a9c03caee39adae4349bf5

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 897c371f0a435e6bf8df7cf3b04606bd
SHA1 a93f9aca0b3eb22b419ab0490eeb01318f52c9aa
SHA256 35fef4ef1ac40cc6d7e52722898737d395c331f4b7a257cfa930831a53f950a2
SHA512 2d32906fa7d534695e3036107d25f694c1db9b7c8a307e4eabf28ff263286ff168e93c18b575d1cdbd4ff81c694a0df8ba211e9c53ada9dc15db830467d1456c

memory/2988-409-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 247937c88190a3ac477a6bd45c892409
SHA1 d6cebdb2026a248b2fedb9026f9e1427f1936478
SHA256 fd4f6b9dbcc29a4c31700bdb12ce32eac8875730a8e8dd633d725f9bddbac2f5
SHA512 893ea7e06f85b5ce2d5b8fa3456cc17abf72675e33482e25e47af02f5c526e1e6fec36dacc3c68b79063348de8aed847803648dd06923458086651c1386261ea

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 396d51721693d4f2f9f317265bf29bf7
SHA1 e0560869602d62ca866d5b6b0023ba169ab5aa0a
SHA256 d1fe95635221230a84d613b5bd11588a133ceb47c0acaec5499720e5a1eb32e9
SHA512 f056f45e6d0369ed1093e65df4a050add876facab2b208880b6447806a85be0a1a986d0b5472ead3e923a025ed3aacf4320ca8faa91b000b3c844f8b07099970

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 0b393afb1dc97b94195bdff76a72606b
SHA1 1733c6244b574281a39aef547d751def2a7c3705
SHA256 8eead92e3b6e171bc9e360a553d4ad162feea7779c1e5493c96d9c6c5020de4a
SHA512 8ba0e997f2e80d6dcdc9c87a3d012876415717cf0071b6819b656d830fcbb7cb6d16be9cc52c5e8377ae238999231324eec36a7bc32501c611c081db08be3ce0

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bcdb8640ff1a54de6e251c2bc17b0594
SHA1 c4928227350c8467ec21d42d32c8997c7d36d742
SHA256 722cf751b78a3ad8e446dfbba7d20855f6ebff69dfc7b9037a293a5e5fc8cae4
SHA512 ba95b9055ccccc4e55b4fa248269872c93f73512ce4ad0d0cc7f33c27a50876b17503b6c5c6a48564b17b3bba6eb86f65d92bd42e3733c56f6eb6770570e48d4

memory/2988-423-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 57f94e292db54af58ec8d6711873f673
SHA1 4649827ba39428dfbc574977e2f3ab4019243501
SHA256 335db7c9977ee100ddfaeba0786c9a7f34b79458dc18dad69f407ad3a7e2e4f2
SHA512 ce4ab8ebc8c494877416339e15b2325e94c561b126cbf946a56a480f42a0e046a8a66c8ab6724a29b81574defef91e00bbf345df7b6944fc11cef3927d22d99d

memory/1212-488-0x0000000004270000-0x0000000004271000-memory.dmp

memory/2372-490-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-18 05:00

Reported

2024-03-18 05:06

Platform

win10-20240214-en

Max time kernel

277s

Max time network

295s

Command Line

C:\Windows\Explorer.EXE

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1440 created 3392 N/A C:\Users\Admin\AppData\Local\Temp\674\Http.pif C:\Windows\Explorer.EXE
PID 1440 created 3392 N/A C:\Users\Admin\AppData\Local\Temp\674\Http.pif C:\Windows\Explorer.EXE
PID 1440 created 1448 N/A C:\Users\Admin\AppData\Local\Temp\674\Http.pif N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D77D.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url C:\Windows\SYSTEM32\cmd.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\D77D.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\2717123927\3950266016.pri C:\Windows\explorer.exe N/A
File created C:\Windows\rescache\_merged\1601268389\3877292338.pri C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
File created C:\Windows\rescache\_merged\4032412167\2900507189.pri C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\D77D.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f9c000000000000002000000e80703004100720067006a006200650078002000200033000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000074ae2078e323294282c1e41cb67d5b9c00000000000000000000000069d012d9f178da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e80703004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000ce63bed7f178da0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e80702004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc7600000000000000000000000026f2fc246d5fda0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133524060308000891" C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3356371483-1660115160-1611493187-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\C0F7.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\674\Http.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\674\Http.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\674\Http.pif N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3392 wrote to memory of 5068 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 5068 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 5068 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5068 wrote to memory of 2824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3392 wrote to memory of 1076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F463.exe
PID 3392 wrote to memory of 1076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F463.exe
PID 3392 wrote to memory of 1076 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F463.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1076 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\F463.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3392 wrote to memory of 2900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CDCD.exe
PID 3392 wrote to memory of 2900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CDCD.exe
PID 3392 wrote to memory of 2900 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\CDCD.exe
PID 3392 wrote to memory of 2096 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 3392 wrote to memory of 2096 N/A C:\Windows\Explorer.EXE C:\Windows\system32\cmd.exe
PID 2096 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2096 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3392 wrote to memory of 2436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F23F.exe
PID 3392 wrote to memory of 2436 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\F23F.exe
PID 3392 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3E9B.exe
PID 3392 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3E9B.exe
PID 3392 wrote to memory of 4496 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\3E9B.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4496 wrote to memory of 68 N/A C:\Users\Admin\AppData\Local\Temp\3E9B.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3392 wrote to memory of 4388 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B667.exe
PID 3392 wrote to memory of 4388 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B667.exe
PID 3392 wrote to memory of 4388 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\B667.exe
PID 4388 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\B667.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\B667.exe C:\Windows\SysWOW64\cmd.exe
PID 4388 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\B667.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3984 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3984 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3984 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3984 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3984 wrote to memory of 680 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3984 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3984 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3984 wrote to memory of 2620 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 3984 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3984 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3984 wrote to memory of 2464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 3984 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4156 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3984 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe

"C:\Users\Admin\AppData\Local\Temp\a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CD72.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\Admin\AppData\Local\Temp\F463.exe

C:\Users\Admin\AppData\Local\Temp\F463.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 1216

C:\Users\Admin\AppData\Local\Temp\CDCD.exe

C:\Users\Admin\AppData\Local\Temp\CDCD.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D09C.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2900 -s 1028

C:\Users\Admin\AppData\Local\Temp\F23F.exe

C:\Users\Admin\AppData\Local\Temp\F23F.exe

C:\Users\Admin\AppData\Local\Temp\3E9B.exe

C:\Users\Admin\AppData\Local\Temp\3E9B.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\B667.exe

C:\Users\Admin\AppData\Local\Temp\B667.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k move Jeffrey Jeffrey.bat & Jeffrey.bat & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 674

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Sitemap + Sublimedirectory + Cow + Rss + Josh 674\Http.pif

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Cdt + Thumbnail + Powers + Tamil + Capabilities + Novel + Cos + Breach + Canal + Hobby + Debut + Patricia + Neural + Translations + Fist + Able + Warner + Shapes + Ancient + Plans + Greg + Go + Drain + Mpeg + Necessary + Robertson + Islam + Generations + Trim + Around + Companion + Maiden + Kills + Eat + Brunswick + Ww + Determines + Login + Heads + Wv + Vampire + Consequence + Tba 674\F

C:\Users\Admin\AppData\Local\Temp\674\Http.pif

674\Http.pif 674\F

C:\Windows\SysWOW64\PING.EXE

ping -n 5 127.0.0.1

C:\Users\Admin\AppData\Local\Temp\C0F7.exe

C:\Users\Admin\AppData\Local\Temp\C0F7.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SYSTEM32\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & echo URL="C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CodeForge.url" & exit

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Tex" /tr "wscript 'C:\Users\Admin\AppData\Local\ByteCraft Systems\CodeForge.js'" /sc minute /mo 3 /F

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\D77D.exe

C:\Users\Admin\AppData\Local\Temp\D77D.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe

"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca

C:\Users\Admin\AppData\Local\Temp\D77D.exe

"C:\Users\Admin\AppData\Local\Temp\D77D.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\674\Http.pif

C:\Users\Admin\AppData\Local\Temp\674\Http.pif

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 197.159.94.81.in-addr.arpa udp
US 8.8.8.8:53 sdfjhuz.com udp
SL 102.220.249.156:80 sdfjhuz.com tcp
SL 102.220.249.156:80 sdfjhuz.com tcp
US 8.8.8.8:53 156.249.220.102.in-addr.arpa udp
US 8.8.8.8:53 www.uniqueweb.co.za udp
ZA 41.76.110.156:443 www.uniqueweb.co.za tcp
US 8.8.8.8:53 156.110.76.41.in-addr.arpa udp
US 8.8.8.8:53 theonlyreasonwhywe.pro udp
US 172.67.218.191:443 theonlyreasonwhywe.pro tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 172.67.185.152:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 191.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 152.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 valowaves.com udp
US 104.21.51.243:443 valowaves.com tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 243.51.21.104.in-addr.arpa udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 114.16.185.192.in-addr.arpa udp
US 8.8.8.8:53 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp
US 8.8.8.8:53 59.39.141.209.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
TR 94.156.8.100:80 94.156.8.100 tcp
US 8.8.8.8:53 100.8.156.94.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 81.94.159.197:80 trad-einmyus.com tcp
US 8.8.8.8:53 drive.google.com udp
FR 142.250.75.238:443 drive.google.com tcp
US 8.8.8.8:53 238.75.250.142.in-addr.arpa udp
NL 195.20.16.82:443 195.20.16.82 tcp
US 8.8.8.8:53 82.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 gZrMmkMPXNMnXLftODCxOMCJtQlce.gZrMmkMPXNMnXLftODCxOMCJtQlce udp
US 8.8.8.8:53 www.upload.ee udp
FR 51.91.30.159:443 www.upload.ee tcp
US 8.8.8.8:53 triedchicken.net udp
US 104.21.91.214:443 triedchicken.net tcp
US 8.8.8.8:53 carthewasher.net udp
US 104.21.82.182:443 carthewasher.net tcp
US 8.8.8.8:53 159.30.91.51.in-addr.arpa udp
US 8.8.8.8:53 214.91.21.104.in-addr.arpa udp
US 8.8.8.8:53 182.82.21.104.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
FI 95.216.123.85:80 95.216.123.85 tcp
US 8.8.8.8:53 85.123.216.95.in-addr.arpa udp
US 8.8.8.8:53 xmr-us-west1.nanopool.org udp
US 104.238.180.207:10300 xmr-us-west1.nanopool.org tcp
US 8.8.8.8:53 207.180.238.104.in-addr.arpa udp
US 209.141.39.59:443 dham2fjg7wsuiqovkuaqkfc42rhfbctvzf4filsx5kq7iqvvd5n2tuad.onion.ly tcp

Files

memory/96-2-0x0000000000570000-0x000000000057B000-memory.dmp

memory/96-1-0x0000000000760000-0x0000000000860000-memory.dmp

memory/96-3-0x0000000000400000-0x0000000000477000-memory.dmp

memory/96-5-0x0000000000400000-0x0000000000477000-memory.dmp

memory/3392-4-0x0000000000C90000-0x0000000000CA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CD72.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

C:\Users\Admin\AppData\Local\Temp\F463.exe

MD5 1421ea7453ce9591f7e34fe27c60ec64
SHA1 323f57dc3e5162ce587193feb94523659bff6d7b
SHA256 0efbfc7d5a16c3aa07e8420ef2447e4bdd2dd7556e353f4d1d10d42a61d1a615
SHA512 5c6ab2729452157be0cfb715f298ae81db12e40c69b081734797fd0cee79470b5c5df127337e1bca31087f55167d764ab2287e08a3895917176464eb8761ed29

memory/1076-20-0x0000000000590000-0x0000000000606000-memory.dmp

memory/1076-21-0x0000000073450000-0x0000000073B3E000-memory.dmp

memory/1076-22-0x0000000004F20000-0x0000000004F30000-memory.dmp

memory/2968-25-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2968-28-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1076-29-0x00000000028A0000-0x00000000048A0000-memory.dmp

memory/1076-31-0x0000000073450000-0x0000000073B3E000-memory.dmp

memory/2968-32-0x00000000028A0000-0x00000000048A0000-memory.dmp

memory/2968-33-0x00000000007E0000-0x00000000007E1000-memory.dmp

memory/2968-34-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2968-35-0x00000000028A0000-0x00000000048A0000-memory.dmp

memory/2968-36-0x0000000000400000-0x000000000044B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDCD.exe

MD5 7105665581245cd0aab6feb437b9c0c6
SHA1 a71c98c935628e2dfb92446de406e755558bee27
SHA256 8008e7add0cd8b03960d961b20b6f58dc9f02bbb246ac16fda9d214f7a62714f
SHA512 4122c64170063e3f65f66e33016ee42590cf9392c042b840341557f746f23f2a2badc7cfa0de53dd386e2abc9649a7ce8143b96da1481e4679ce76e18396b5ef

C:\Users\Admin\AppData\Local\Temp\CDCD.exe

MD5 35c4383a85f2039a72ecd1e1145a013e
SHA1 e3a3e799d5d9ae1562b5345d6679a636a1bb1853
SHA256 6fe972f418a3f60be8e01c31e8d3e487d13eefb301647edf950c5e75aae0a0d7
SHA512 a22d08857d9479bbe7d320af04f9592fd8b99cff980fda4e1e8b09cd21eb850405248f95c1a9d4771ed27b38700d5d795265469dfb219a761a5a4c3f70e4098c

memory/2900-41-0x0000000000E90000-0x0000000001B75000-memory.dmp

memory/2900-51-0x00000000007A0000-0x00000000007A1000-memory.dmp

memory/2900-49-0x0000000000790000-0x0000000000791000-memory.dmp

memory/2900-52-0x00000000007B0000-0x00000000007B1000-memory.dmp

memory/2900-53-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/2900-55-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/2900-54-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/2900-50-0x0000000000E90000-0x0000000001B75000-memory.dmp

memory/2900-61-0x0000000000E10000-0x0000000000E50000-memory.dmp

memory/2900-60-0x0000000000E10000-0x0000000000E50000-memory.dmp

memory/2900-59-0x0000000000E10000-0x0000000000E50000-memory.dmp

memory/2900-58-0x0000000000E10000-0x0000000000E50000-memory.dmp

memory/2900-62-0x0000000000E10000-0x0000000000E50000-memory.dmp

memory/2900-63-0x0000000000E10000-0x0000000000E50000-memory.dmp

memory/2900-64-0x0000000000E90000-0x0000000001B75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F23F.exe

MD5 450039a02217c53bd983eaf1fd34505a
SHA1 930ed58a2f58ca7bf3e39aaee43fb541f1c6eeda
SHA256 d2eacbc922f248856b860aa7c31476ae4123f97e82cf69760ef216d9dca321f0
SHA512 cf37a82ea7b64f4633ac82c73feff3f829dda279a7caeac32a4cde7b0f82a43b37f67e620677a87d2eccc0eee6f8d68d0175a086487b2174b4f30b66aa4fb080

memory/2436-69-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E9B.exe

MD5 e1e7d85a00bffe0f041a397629f015dc
SHA1 183c4c167ca1dbaabd8873628ec59764fcbc6da9
SHA256 55bb4c22b5c15f92c66c447afbab1f5d36720fa05a5bab3f7d67c5a5e44f075e
SHA512 9f1acf1f42da9f7bde944edc728c22f8b30e6dfd58bba042ef54eacfb444d79a61615e6481ee46667c5ff78ac2e4ac8c3c86c321ee763bcd5b2194715e7a8a09

C:\Users\Admin\AppData\Local\Temp\3E9B.exe

MD5 175f44aacfbd36443175aa7fc29c285b
SHA1 798972037500bdc3699940a14c042b1e413486f6
SHA256 2f5567968b8129d297698c1b0d4db583c939fbd822f01b8fba401b9985491b0c
SHA512 658872faabc4b193bb118777686a6be4f808de606e760ef2fe14a968c59d74d137c05aa7cba9ef77c96d92e6e027f62348baff709c037f2be1bb3a05052741dc

memory/4496-74-0x00000000728A0000-0x0000000072F8E000-memory.dmp

memory/4496-75-0x0000000000840000-0x0000000000D94000-memory.dmp

memory/4496-76-0x0000000005630000-0x00000000056CC000-memory.dmp

memory/4496-77-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4496-78-0x0000000005DD0000-0x00000000062FC000-memory.dmp

memory/2436-79-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/4496-80-0x00000000728A0000-0x0000000072F8E000-memory.dmp

memory/4496-81-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/2436-82-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/2436-83-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/4496-84-0x0000000006300000-0x000000000653C000-memory.dmp

memory/4496-85-0x0000000005C00000-0x0000000005C12000-memory.dmp

memory/4496-86-0x0000000007680000-0x0000000007812000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/2436-92-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/4496-93-0x0000000005C90000-0x0000000005CA0000-memory.dmp

memory/4496-94-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4496-95-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4496-96-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4496-97-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/68-99-0x0000000000400000-0x000000000063B000-memory.dmp

memory/4496-98-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4496-100-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/4496-102-0x0000000007D30000-0x0000000007E30000-memory.dmp

memory/4496-105-0x0000000007D30000-0x0000000007E30000-memory.dmp

memory/4496-106-0x00000000728A0000-0x0000000072F8E000-memory.dmp

memory/68-104-0x0000000000400000-0x000000000063B000-memory.dmp

memory/68-107-0x0000000000400000-0x000000000063B000-memory.dmp

memory/68-108-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2436-146-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/68-147-0x0000000000400000-0x000000000063B000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2436-169-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/2436-170-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/2436-175-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/2436-176-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

memory/2436-177-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B667.exe

MD5 7769e93085751e0b35729827dc22e8d5
SHA1 1d20bac0f5e0e8e28d466834463463cc911a5baa
SHA256 8dd36a9b8a11b166aab0584253115650ec392591e7958c0cba3f1adef483f402
SHA512 b3b658440f973b7e913681e645b21aa6c102fb4d43480f5e9952f756bfd42288bf2e56a4fef02929994d09cf82c857a7772eb1b6703ab69f924383a2ecdbe56c

C:\Users\Admin\AppData\Local\Temp\Jeffrey

MD5 e121db542d18a526f078c32fd2583af5
SHA1 69e677442ccb6d6fe1d2a3029cf44aac473f5f55
SHA256 fcaf08c62c974ca0fb7537213a7867ab0f9fb41e52dde118b758b7ea05f63ca2
SHA512 9d8c2bd284a624b68a2fafd93445648f69ffd47374f1d3cfd1857d2951bbc2a6cbe971fdb5e10d5f513dbb5188d59ee8e5715c86e3a1bf23e6df7feec960bebe

C:\Users\Admin\AppData\Local\Temp\Sitemap

MD5 9aa3fa871956c05e6c502841714a3ca3
SHA1 fe9b5580fd142b32ee94342e5403ff9454517f9e
SHA256 fdd3ef368438e0267bb64c89cee31fd6d4cd4207030ff12c14849ae3eb97ea32
SHA512 70046f0cd491c13d73a17969a325000c1daa303ee7c7b30fb56cee784002c9d309ff6aad2d9df30b9b80b3f257303a678a01050e24bf6ca92c563a27f0302873

C:\Users\Admin\AppData\Local\Temp\Sublimedirectory

MD5 9ac55fb2a8700521a9fc03c830483b45
SHA1 07d4aefbc148a0f3af2543f9dc9e07f0a1e9ebb6
SHA256 964d3d31f56f7147c8b25f0d26223808aaddc704d13749e282be5e75330c66e1
SHA512 ae2b430466ffb8fc4a9e943d514e812cb4f3d4db6260575c36ea5141ea9e0c28d5a92b2a2e85eb96757f87e2efe7412bb3ca5208c55373ce51f608321f0f2505

C:\Users\Admin\AppData\Local\Temp\Cow

MD5 3e929f7b28251914c43d3435f2f437dd
SHA1 9564974824f4fe1b9b6bdc5bd1e1065fc11678bc
SHA256 e870073c8d6fe150149ec7d7fba4e948f7efca3ed51c86fe81a86a60f7e906ad
SHA512 41919c496f7989fd7ae2c3d3b122ee69ec3c2f4c89bea0247f6b19b3d8b78fa4264b8733efc707cd98d25f68a15937e644f31eff36068035b0c94a790efd8478

C:\Users\Admin\AppData\Local\Temp\Rss

MD5 decffdc214d187300d81458730076975
SHA1 0d26a032a42e2b1d6cce51c88262fb99d5d85045
SHA256 81c7087173132ecbecf5d04a7eefc5074d0d2fb54b46f48416f6a2e211a4e927
SHA512 615dcffeeaeaebe4d83aa5e8e31e7c48c2ef6ba60890ba92f09ba0b482e1b163e778c46134ed032ccaf1a0c77bfcd9b9391c7b0528b7e3a1274db0bbf4249c76

C:\Users\Admin\AppData\Local\Temp\Josh

MD5 dbb02def36f898899c81dbe071eaaf75
SHA1 ddd36cf26cffd70cdca8ffa36fc13097c56092c3
SHA256 431dfb2a32ca2bdc4f43a7d35521abceab83b069f7a63845e1eccc03133cc1ea
SHA512 115536f35f7e99919fd44742199aeebd17979e84bc8f531bbfd019f7641a838bbc8011b8df046563f16df269f6c5c8c7ab900db6f7918026fbe2366b4a88d3a1

C:\Users\Admin\AppData\Local\Temp\Cdt

MD5 ba823d75b6712149e7241d1c2f6695ef
SHA1 9f351074e85afc8254aaa5df0561377c8b68874c
SHA256 7d9468f4301186c054a25dd5290770a9acec5c3e03937a5a99ae17d0af786377
SHA512 563c98418647956e8892b855e6a9c9b5994e50f8a41c2857c0a06abf59151d729ad53676d38e1f6addd7186b3f707ce06a313f5a3482327624985f9f50bc8167

C:\Users\Admin\AppData\Local\Temp\Thumbnail

MD5 e68e0d804f78aadf2b7da5190971cc56
SHA1 b10f5a2dfc947cd7ecdc14bbf37ab4ceb5e1eaf9
SHA256 fe05a76fbb09e4fa60386db924b5bff738c3ce9be3bd0a1f9c082317c8c86bee
SHA512 e5600c6ab0f3d41b47c0b92f5e32a26eb42ca34392a9e1ba373e2b0b7f884ae4c47949dee26a05ba20a3467299f01b4e50aa2c2acd1a47f5152a83e2abfa7cda

C:\Users\Admin\AppData\Local\Temp\Tamil

MD5 5b825ccfab154d5de20e806e687ecb89
SHA1 d311d7b23a70f5e1ba875e020d37e05a3a4c4552
SHA256 19d5510298ed882c13538159f6d600afb2b0cbca2e21307b23d4ffc7b951b436
SHA512 e31cac21acdd002e14b7e40cf0af6efb65ed3b803348d885ca2dc5d38b4b3b03b1548cb78258515a1cce9b6eccefa31fef02ed6212b0e9170c4e4ba71e9d8f03

C:\Users\Admin\AppData\Local\Temp\Powers

MD5 0c851a1587662cb3c4b3f4e79b9d40e4
SHA1 405bcebd4ebefa55e2e51fd9a5f9a468f25020e5
SHA256 869aadd31861f94ebedb8c7601f310b4c87091c950040cb56115e83801955e26
SHA512 c9fa7643f8c0dda69eea577dcb3868f20f22c68f49e9726f2bd1cb9f4b134a31ea5d5fead51577ba29f795de394549396dff55432df232baba40f025ac2593c8

C:\Users\Admin\AppData\Local\Temp\Canal

MD5 c3a1a56b238bd452b6b59169cc99ec03
SHA1 88a35ade6f7f14e2df8d731317afc72612074a51
SHA256 a1f3e11d023c1b288bf20d8290fbb532397bcf5de9b5094ffd9e01faf15af90f
SHA512 163287a8864978a7de323e61e5a168b75e97dcd36e8448a00d05f2e8c00b2a9c878e372a56f12288bb92c86f89a6dd6d56ae0282fb09d919e7ffe85349643525

C:\Users\Admin\AppData\Local\Temp\Patricia

MD5 d9bd01e58c378e5a43b47b93ccf11b30
SHA1 4f57381303c5cb2d6f0012d190ce11d696efde77
SHA256 df1836f2bef8704260148cc27c0f83b54e7bba141cb9274de315082f55983d1a
SHA512 4ed8db053adec650c71c34c843173bc2f25078ee37099ed91ad922ca57346dfd543949fe14d70b158aeabb0a0c69219548b44866c701cfe45e3c2954a1a00755

C:\Users\Admin\AppData\Local\Temp\Debut

MD5 309a79e7ee30ead5653c0e33c937bf20
SHA1 808165ca516179e0749cd74b57ebf2ec92e77a9e
SHA256 a8801707877eed3c2e26a3c17dfe73fa1f497e0c7c50510a2209752f2d28c233
SHA512 0bde1c86c60452f042d5d70962d1e78483ee33d69cee5a9fefc47681b9136ff4cf64ba2b2197f050d97f5ff26161e4b79981f1a848f25f48957f2660a706a6b8

C:\Users\Admin\AppData\Local\Temp\Hobby

MD5 cd17d8568d3cb4f7a115c0c9657aa3c1
SHA1 389429708df886ee004b3d4c54cbb9a2e089859e
SHA256 ed71c9321bf22505bc8aeb4eada537151b1d0cce36d4a68a63c312e1d278be3d
SHA512 005277a31916c4f81780ede19a26e735a302db57f97b0c643ca1a959165b54f7c911a7ee1d1c79e0df599e9c201d3daa9f7cc48359367753fa152a04a739cd33

C:\Users\Admin\AppData\Local\Temp\Breach

MD5 9324e493902fe2c6ffcf04f088c34e08
SHA1 866c7b4c73f99f673dd3f2035e34d843c262f256
SHA256 6f50e1f49fca502dbab2f5d9b5ed372870222ba77e4317806a27bdd032dfd222
SHA512 c1d4bbd0444d2bbfb255766c846ec71623833b887609f995a09c95e323ec39137d74d8b55229055561fa2248418fd7cf28f531d467ed79f292f41518d3cee9e0

C:\Users\Admin\AppData\Local\Temp\Cos

MD5 c8599aa35a19083f6c5f80151f55315c
SHA1 3e315507bc934d0ebdf68328b5d60e7fcab41a3b
SHA256 339dbf69ba0f0dfbc7d4833ca4900017f2ab5999484e1194041a538589867e7f
SHA512 dc6d2169226606b2880f02cff18eeda182ed39dc55fd29626cfeb464c6c59fddb7f079bfc7386dc30f9fbc089fc8e40649f5b109fbbf172a2710cdd7814ecdf1

C:\Users\Admin\AppData\Local\Temp\Novel

MD5 9c5c2a336e6c94e60e8ca1a981235806
SHA1 887ed6cee2cc4b3da3acceb5b0553b24ec0e6617
SHA256 7726ad699b2cfa9778d6dc2c289c9a4f46b0d9a7c5db2e39e76f18e43ac86070
SHA512 1aa7daea097f7064bfbeef2621c4d88b08c77af0b6047cb78f84d749f94a49674f72b007e7a8422407aa045a12dd72d74a53df50811a2ca6eefb2eaf3446c2fb

C:\Users\Admin\AppData\Local\Temp\Capabilities

MD5 d34ef2c6ce15a8747df5431a864f0613
SHA1 fe62b64f13b149525066fe73f227df044255cddb
SHA256 879e43c64cb2cb8fcb5df47040d65e4127997f5b845d0a87692a632af3ae04b9
SHA512 0e0dfcd55a61c0d42a262cf1fbe7b29d4c10a60902986030d784aa9abdb60fd1e76ba7ca4a1e62b89a90c00b6d02874e827801faec8adcb113209152e4f77c24

C:\Users\Admin\AppData\Local\Temp\Neural

MD5 4c5c9f5368402dd77d8f8e0c31951625
SHA1 719e5a648399121cf1402d36734631f95c723d18
SHA256 d7d7df376fcf36b624b6b7c42bac9e409997daf2533fb13b47df979080bd89d7
SHA512 1077177e69ca516d7fac2f48c650407007b05e6867140f0349779dc9e315da2291c8ecbf63d87533f86447c9920d83dbd1c509f9b97d6e653445cdd6661460ba

C:\Users\Admin\AppData\Local\Temp\Translations

MD5 a40fabfc3d4fe0e77cf03156b0541015
SHA1 7a8c301d0a3834a212af25812cb9f51afa8425d4
SHA256 fb58698a4c4b63b75f32a80188681d5a7489ac856c2e4f66040ec75d86594864
SHA512 f34e5b24f65916dad8cb8bdb920b008b3110dc89f0fd7de378c1dde905738572921098286f2bcc8df1615a4f4dd638c28cef8decb0ae68a8bba29600dd249c11

C:\Users\Admin\AppData\Local\Temp\Shapes

MD5 7aaaa1a6965448912a128a631bbd06be
SHA1 d3917e8d8780c9296c6bba2066a3fccd08e04253
SHA256 f9dd85538a77f5e563a03d1d846b2ed4e447fc002c4a3f35f6630fb6b068bf85
SHA512 02f233fa2df94f057eb453a571e5ccbe882dafb71a5f65c5ad159ed1aa56157dcf25fb954b9340dd43de0e4413b89447bcb5b5664c6966185710df9802474b52

C:\Users\Admin\AppData\Local\Temp\Warner

MD5 f83e3a79f793337194e79e4bb5c3b073
SHA1 6d4ef4fc71fbabc6f56265388d87d997e47194dc
SHA256 e6c10154860c14f05f94129e411439105ea9da7fe9bb372b5cf107978aed6844
SHA512 5133a73e3c9da5cef73cd6504e2bdfad81517a1b3dd8e3bd970ad6c2ba8fd02e305cc7b0884771b313ce44fd181e685be5c21426ed1c6d098bace464c5a02775

C:\Users\Admin\AppData\Local\Temp\Ancient

MD5 a02c222cf530ee003a3893c4c78770c2
SHA1 bdaaf55f6f97ad1c4493f1bb7b683cb3f47aa0f3
SHA256 192ca40b43714d9220f9c753befa6b87c9d95ac36d2eea8b762c67e1267981b5
SHA512 1225b9d79b853801089c216e75afc3ec093337858cf54657a746c43e6392aa66f9fdbc922bc13472f41407947acde71d2a2cabbdbdd34241e56410d7d61b0368

C:\Users\Admin\AppData\Local\Temp\Able

MD5 13fd06533f068d719a2b9f300096ca41
SHA1 f054659e3fb8516b759b8f819d12acb9c173ab6a
SHA256 b43ce17ba094fb6dbfffb9d06874f74f17acc0ca791d49fc2a0e83eeebda06f9
SHA512 f8cc9e163900c0594d2d76d0b8cc5a02399c15b68341ec7dd336abb754f7360b9b75623fa3666a1cf8df080e11ef1a759197076b0c7275701812e3b6e02c0422

C:\Users\Admin\AppData\Local\Temp\Plans

MD5 5e136f53a54f61eeb099c76021dba233
SHA1 1b9f5ffa3b8c1cf3a1ce8fe58786e2b3617825d3
SHA256 ed6ad54fc60499182bf34b7dd96c25c04ff155c33fbe205b2579deb03f15a041
SHA512 493110347fa229d48e4c6d8a735dc56bfa34d5da3b70d485c56ef35d47b92d694e0ba84784487168be98931699bcf019ff1d831f1dffc2fde1fd27aec7ae03a8

C:\Users\Admin\AppData\Local\Temp\Greg

MD5 265344b2c8ca35ae60227ff6639481f5
SHA1 49bf4e7aab05a697409a4cc8f04c5b2ed1e78e79
SHA256 349c58fc4a15001ff0875d2a9f797d536045804c99350e0f43203ade07c41b59
SHA512 2248bd383433d3dd541eb74f3e2404f83e1f379b11d9e7de9bf6903460cfba9b1955d089439883126ce6c08a67a3e12beb63126a74a1a86dc461ca8f232f442d

C:\Users\Admin\AppData\Local\Temp\Fist

MD5 71afb2f733859a29cfcf25e58625284c
SHA1 248df6b7026fd2771dd65ed3b542ca0185dbb6dc
SHA256 d57110136c0fa135b3dd2f4b83d48af60fc8d918372aeec2a3eac0333135f120
SHA512 047874d945a67bda6f9e1bbeedf15e728be8ed212683f29dab0ee6d3d26a1265f1b3ab008e8b10c7c8bf6a5bf37f1ca637d54eb5ae99dd7ae67ff4fcdc16e5af

C:\Users\Admin\AppData\Local\Temp\Go

MD5 b153dbfec41fa6a8b005978bc571befe
SHA1 9752d98549edff58b4c0ede5a654832c22f97d38
SHA256 f59cbe377d6d4df992d6caaa0ccbbe7a5506741c9e63a716a0284cb2ae720814
SHA512 eef43707eb9b7e047a8c8307ffac9ce4b1eb0383186280b9112eb278e4fb97c339e14cbbb334eaf9e13719280978a12c7d8d3615e8ab25e176530836799c002a

C:\Users\Admin\AppData\Local\Temp\Necessary

MD5 d2635aadbd169174c362c0052a33e396
SHA1 601bf240df1f218670acda168020ba7736cf821c
SHA256 de7612db6d35cfd9670d56dfd6497802bbcda88c787e6b83b1438df598bd9e96
SHA512 0cdfb4d1560a01a6c5c1406ee7f2ac27229756a7bc35865a3437e05443b9e6eb9ed18c04131268d190c33d03a05c7190381be828c1208ecd0819bade943d2a58

C:\Users\Admin\AppData\Local\Temp\Robertson

MD5 547c335ac69f9da2f963745762672f44
SHA1 f9d6f6c943b91988020176a827f592f8f46f2670
SHA256 8a7e8e502a6041ccac7c06b222cabc9e7aa39523a1c5edc33097e5506b6ad3cc
SHA512 1a1561b11224c74dbe791ee12c67e74ecbb8f8d63720a392ea1f6c9f0b448ff226ae920253e6a00023db74963c83605c82822722b1cc3c2ed8bf6862b22f497c

C:\Users\Admin\AppData\Local\Temp\Mpeg

MD5 af66ed102029338945a5ae7af6e68867
SHA1 2a590d37a9e25203f41fe28be7b3702bdac34e28
SHA256 4f5603c2539d330e9576ab577fe08cd58e6a191620e962c570af439ec4808c6b
SHA512 83d5afa258752706ce85f5e57a59e04e0c8e2e856eb12d4e419237eaf2669bf1ffbd1ab87eabc34e0e7c3e4584a4288aa39285cfbfd398d04f8bd2248cf27609

C:\Users\Admin\AppData\Local\Temp\Drain

MD5 99667047563ffb1f92319045c1fa496f
SHA1 9eba1534190dac88d7231e00cf2372477479a262
SHA256 3f6dfc93ffd2c876839d824993a4234df1d16a3f0b5d284c66e32bc2264867ea
SHA512 e8d39f341df2decde92d2bf7066de6ccf3b3b2d6c4e57d353a60ee409fb7d54444d55e8c02a266da4ec94e719e149685120c72c6db7c35e863cef7f1f844c9d9

C:\Users\Admin\AppData\Local\Temp\Islam

MD5 5e0c4a84587a2ba5295805c9623704a4
SHA1 1108e298b95830a0c0a265f89082a5412c11d865
SHA256 aafa12d671f2eba209cda92d296b29f1abdf359faa3e0f064b7626bf25d89acd
SHA512 2dab73ed3fae2c1f1ecb38aa1ebbbbe55326fa6bcd562cac2c4adc004e9ab1ccf392aa5c7741419452433b25ea4474508fa5ed65ff02ba01f0ec07b5589dfa08

C:\Users\Admin\AppData\Local\Temp\Generations

MD5 bf36de53f9099fb8780cc1f08121ec9d
SHA1 0a3289cd4e8526291b1d78231801c71f62201134
SHA256 d83f481d8af694bddf44486601adc6960190380ba091f8ae468e0282d86aca96
SHA512 b66e6ee71e534156eab1fe0e8aa8311a3b41bef397b2bbd89d41a891e2f249a8b7af8c594951058a30751436da61272befd5f3797b3b5e7c8ee63c7901a7c6f8

C:\Users\Admin\AppData\Local\Temp\Maiden

MD5 66362a1847593eb45b46b84215c52779
SHA1 61519bccdb7c3cbe547bcdadcb8ac81d638593fd
SHA256 83dba2694db89c8c473f401de7ac74391297428a5162283b4ce7581967bb3ea0
SHA512 9c568437f2870f258c77be39e724c9790d5f70ee35529aa79956bd70211267eeaf3d41b7b6eaedc1cc1c85d01ceeca7cd4991a13848a6489ff31acfe15dac23b

C:\Users\Admin\AppData\Local\Temp\Brunswick

MD5 d9d300fcd0f6c260b49dc70799cb3ed5
SHA1 9f1c1ed5aba8635a35abf2705c9fa7e64c297f19
SHA256 e559f9fdef25eb57dc27c4ea285afd85aef5b3f4dc91f8ca94d195a347e02b9d
SHA512 d86cf2df5ce022b6724ebf45a720e26155da5415e1715f1ecc9bc135b66226aa851e09584220f3ceaf6b74267d99c2d5991299f5994c859f59a4847b94e8e9bf

C:\Users\Admin\AppData\Local\Temp\Eat

MD5 f3955d3be816c87209db5f1a76de0c84
SHA1 0381898c2fc21e02b8f913cc1083727a23936bcf
SHA256 c51346378e3a0cf5fafa09c0953b4559c140111d086d939c6b0f9adf497fa108
SHA512 935294f0c695fbec87509c48d48eb78325ddf5d7a98881b8bccc1469b73ca1a6e044cb9faabbb9c8f151a66bd72a9e10bc7cae821e019e24ae94601b65a6179a

C:\Users\Admin\AppData\Local\Temp\Login

MD5 a0aa8b540b7964573ef0e5ef933d716d
SHA1 cbe8d346bf1d8fb1fec7780abed82023705aae5b
SHA256 0e337b94bd79194a28a752f7d9a30eacda6e871f5222d7a6c7bc4656ef24d869
SHA512 d5d6cf1b5fd1cf8e057379a7f4a0116d2742d1f8411822546654dfa6c488b0b34f1e7c99a309f2712bb81570627b3c309af81d0e9afc7d97da54e6c41f6f0b47

C:\Users\Admin\AppData\Local\Temp\Determines

MD5 d8ed6006ce530f87b672a686ba240bbb
SHA1 75eaa85a7f408b76b10d8defdf9af47cfec1b2ee
SHA256 d212e9bc86ba456be932f1b7711161d3e76e8bdaea52677771c698a12c1b2878
SHA512 1809f8a1e5ef0b9b4fb3bc5921affbbed655c2f6f938250280891228c79e878992d69f98356ff05fb7510423a76f4b73b6fa0a2ee45d8c2166e2b98deb86b4a2

C:\Users\Admin\AppData\Local\Temp\Ww

MD5 36caf6a78bb2c801bde7dca1ef9a5d01
SHA1 85b4d86b4c8764df6b320bdf687a03dc0bfdcf1b
SHA256 419db5c7038033e93c48d2ab4f98fa8bbea3af2eafe7bec55b5a780270e1b65f
SHA512 1a5b9e5d94b1b2f8a09ec51447e85e41cc1aba0b84ec09a4d073296c7638837221caf458fc4709b8915610fbffe1e7466c51a0f5cccaf8e674aa86dc03bade23

C:\Users\Admin\AppData\Local\Temp\Vampire

MD5 f8d8af1244d907483b3602c06d014d01
SHA1 adb2338050a56f96b1e3fbcfecc2670a1267c4e7
SHA256 5a8f568c186f5b1421467401617ac1274d73401ece3b58012db20b8edd91f1bf
SHA512 494af12b22803928ff942ebe63beadde2f7e037ec75f26a3b71ca04f5cecd9f210ed5a3df80bfb1f61f4d33adc15c4089723541418ffbf4c9e12214e91e0af24

C:\Users\Admin\AppData\Local\Temp\Tba

MD5 b611ed5adb13d4d55cbf14877ee9cbac
SHA1 0b1192569159aeb336e93bd302bbbba6b6bffb32
SHA256 71562437f71db557d8cd852c26eb56886570c52a1cb0a3caf91beee50411e75a
SHA512 9e123d91cacc50f047fc3ad3fe2ec69f160fe701db64ee8111c6bf601235193c00829e9935abd4384395aa4307dfcb005cc7f003d0845bd1fac2b0f1f4c12168

C:\Users\Admin\AppData\Local\Temp\Consequence

MD5 de1424f331992013ce3ba62af1e4826a
SHA1 26674a8742de94813fb030b917683aac8bf1a9f1
SHA256 a491ea9e895108e0cbac7182c064c67711f11af8d41edb82c58cf358445706e7
SHA512 8571489c1e7ed8379faee062b606022efcec69bc66a81bdbd0794aa73e00ca9e6dd7e1c86a20313a34f9faf71f26fcfbcb24478ba2ea8edaa1cbb4983fae4262

C:\Users\Admin\AppData\Local\Temp\Wv

MD5 c70f41c337d8197f721664643d06d196
SHA1 17e9e9a9ee5d0f3d79be0f496ea18d126611caac
SHA256 20787d11bebf1d505fe4a97444dc457b532e03659b390026daf9e8fc194fd6e8
SHA512 9c5a2a11f0549a5f845c90b3408b1d9e11c03e5d654b14f97b4919f3bf9cde642d6f48a63e338b087d063e642c58fdf1a973160446714314280f5e8aa197fe75

C:\Users\Admin\AppData\Local\Temp\Heads

MD5 c7d64462e2a604fc6a9c81fcea175876
SHA1 7fe743ecf7e3c4b7b8a3205476e311b71daf1be3
SHA256 fba0fe192d4a788fd787f6c657a27237a5dd092cd01fb6f783a10603f041736c
SHA512 6c97d6171df66f8c9f7b6453347fc5e8f93728d36174b3283287f9052a68223787e565ce7a6efe7cb6e7bdba5d82c204ce80289f8de25fb5e9f564b36b4545fe

C:\Users\Admin\AppData\Local\Temp\Kills

MD5 13dc546d0daadc9b174fa60d4e58bf4c
SHA1 5a62bb74dbf964a10b98890508389ffa01f4b423
SHA256 7b006fbcb0e8b1d4559be81f7e8e66d3e7025e0d8063b5c9b956f3712886bd21
SHA512 142d6afe9475b179f1bd75414c487f88695a741b92e0895725231510e2c0fab6121ea463ca3429e4c2e5af0725fd196e8f11137d490722c913105b7a611bb507

C:\Users\Admin\AppData\Local\Temp\Companion

MD5 529e8f5a689da689d3651e1c039bb324
SHA1 f9557b98debebc842274feb085712187a1d9cf37
SHA256 5a0e9f3158ba1c1ee5fa3423292993ab9fa1edbe1afa5aa4597a272534f1ef22
SHA512 610583262b7df4e3611f425813a57c10a5c6814b5a33864296bef83574b268858451b55d059f60660e89d2b683d489255f6dafe8b711f410e4935ff0c9a02d36

C:\Users\Admin\AppData\Local\Temp\Around

MD5 1de412303c8d8449cad0f64aec5dad0c
SHA1 3fc923a66906aea4c8e30358277f1ed3b723e15c
SHA256 37ea73ebc91feab33bea461c97c7495d260069041b9ee2e4526444cfb4035da3
SHA512 d56a13cd0648849e9a5f965f3b8eb9e00222408d8a5ee42a095e11c0be10f49782036c00e468d2ef26080bf6855e8794c8ee45bd7ec1b08166233691f619e9b1

C:\Users\Admin\AppData\Local\Temp\Trim

MD5 9806a4ee54225558e00a86e6f15ff6c7
SHA1 308c952352eda64d06c982ca826fba193c8dcf27
SHA256 5c9d5114e0f13978f10f4d726f2e585f049bf4dc2b735be00389476d2737dc9b
SHA512 657de9473896f623c6975a50618051e4b6a5098af4b69f9d20d5b736c70029548a4ac108d830b332ac9837f9a9902bdbf75f6560d61c7328706ccd09dbf76af4

memory/1696-285-0x0000000000860000-0x00000000008CE000-memory.dmp

memory/1696-286-0x00000000716D0000-0x0000000071DBE000-memory.dmp

memory/3636-289-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1696-296-0x0000000002BC0000-0x0000000004BC0000-memory.dmp

memory/3636-297-0x0000000000400000-0x000000000063B000-memory.dmp

memory/1696-300-0x00000000716D0000-0x0000000071DBE000-memory.dmp

memory/3636-299-0x0000000000400000-0x000000000063B000-memory.dmp

memory/68-301-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2436-304-0x00007FF666BF0000-0x00007FF667852000-memory.dmp

C:\Users\Admin\AppData\Roaming\dahifsh

MD5 1daf51676edf7053884f8643c1a126de
SHA1 865000f10c6395f072e9afa628a4a9b6abbd5e35
SHA256 a17cb3f0e417a2dd316f6367f1c55d33403a0fa66fa91d2f97970d38b9b62669
SHA512 199aba789dbc8962a90651cb91c89cd37c38f34282fdb9df6836803602830285a69be18dc7cbb78c2223b181a09afedd721a73993552aff313450bfde60a30b1

memory/2960-310-0x0000000002990000-0x0000000002D8D000-memory.dmp

memory/2960-311-0x0000000002D90000-0x000000000367B000-memory.dmp

memory/2960-312-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3392-314-0x0000000000C80000-0x0000000000C81000-memory.dmp

memory/1016-320-0x0000000007340000-0x0000000007376000-memory.dmp

memory/1016-319-0x0000000071D20000-0x000000007240E000-memory.dmp

memory/1016-322-0x0000000007490000-0x00000000074A0000-memory.dmp

memory/1016-321-0x0000000007490000-0x00000000074A0000-memory.dmp

memory/1016-323-0x0000000007AD0000-0x00000000080F8000-memory.dmp

memory/1016-325-0x0000000008350000-0x00000000083B6000-memory.dmp

memory/1016-326-0x0000000008270000-0x00000000082D6000-memory.dmp

memory/1016-324-0x0000000007A60000-0x0000000007A82000-memory.dmp

memory/1016-327-0x0000000008430000-0x0000000008780000-memory.dmp

memory/1016-328-0x00000000087E0000-0x00000000087FC000-memory.dmp

memory/1016-329-0x0000000008860000-0x00000000088AB000-memory.dmp

memory/3636-330-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zcpalcnc.qec.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

C:\ProgramData\DHCGIDHD

MD5 7ba3332547a12c91af827c55fd6c4a75
SHA1 3f745c5f9646d07b6c411d2d9eec4e2ee5642114
SHA256 ca33c12d9db2a3384382b1d7dc0f33fd743a6a27b6f8dbe259a16098683a1940
SHA512 5db2bdab187c0fbddc2d8d3f38e6e0ee3906914ed3dd704893663385fb0ac62df82f65c42e2549c1707af40b29a5316811b543e7de7a8f176c3899a442452f00

memory/1016-377-0x0000000009860000-0x000000000989C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DKJXGONT\nss3[1].dll

MD5 5b6b3209a0a77392bc8a83b0ef0cd547
SHA1 2be86e2eb93ab87b6d932a2db0cde87b697c538e
SHA256 56c5047bc309e33043222a62432e9708dc1852253cc0cc2241498168353483e8
SHA512 910fde392725204af6a4960f6d2d1b47653a1bc3a4dc68e130784f88f525aa5745df32a5dd2079f3329117d02fca9f9cd0949ff96ed492758924161233aee4a2