Analysis Overview
SHA256
b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c
Threat Level: Known bad
The file b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c was found to be: Known bad.
Malicious Activity Summary
ZGRat
RedLine
SectopRAT
Lumma Stealer
Stealc
Glupteba payload
Amadey
RedLine payload
Detect ZGRat V1
Glupteba
SectopRAT payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Blocklisted process makes network request
Executes dropped EXE
Reads local data of messenger clients
Identifies Wine through registry keys
Reads data files stored by FTP clients
Reads WinSCP keys stored on the system
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Manipulates WinMonFS driver.
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Unsigned PE
Enumerates physical storage devices
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Checks processor information in registry
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Uses Task Scheduler COM API
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-04-27 14:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-27 14:50
Reported
2024-04-27 14:53
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.0.exe | N/A |
Reads WinSCP keys stored on the system
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 984 set thread context of 4036 | N/A | C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3716 set thread context of 4352 | N/A | C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 832 set thread context of 4932 | N/A | C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4500 set thread context of 660 | N/A | C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4100 set thread context of 3836 | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 3836 set thread context of 1888 | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3kc.0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3kc.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-431 = "Iran Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1662 = "Bahia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe
"C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 984 -ip 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 984 -s 884
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3716 -ip 3716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3716 -s 360
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 832 -ip 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 832 -s 356
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4356 -ip 4356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 352
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe
"C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\404046346511_Desktop.zip' -CompressionLevel Optimal
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Users\Admin\AppData\Local\Temp\u3kc.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3kc.0.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe
"C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe
"C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4620 -ip 4620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4620 -s 1436
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3856 -ip 3856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 2008
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.72:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | affordcharmcropwo.shop | udp |
| US | 104.21.67.211:443 | affordcharmcropwo.shop | tcp |
| US | 8.8.8.8:53 | cleartotalfisherwo.shop | udp |
| US | 172.67.185.32:443 | cleartotalfisherwo.shop | tcp |
| US | 8.8.8.8:53 | 211.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | worryfillvolcawoi.shop | udp |
| US | 8.8.8.8:53 | 32.185.67.172.in-addr.arpa | udp |
| US | 172.67.199.191:443 | worryfillvolcawoi.shop | tcp |
| US | 8.8.8.8:53 | enthusiasimtitleow.shop | udp |
| US | 172.67.183.226:443 | enthusiasimtitleow.shop | tcp |
| US | 8.8.8.8:53 | dismissalcylinderhostw.shop | udp |
| US | 172.67.205.132:443 | dismissalcylinderhostw.shop | tcp |
| US | 8.8.8.8:53 | 191.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.183.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | diskretainvigorousiw.shop | udp |
| US | 172.67.211.165:443 | diskretainvigorousiw.shop | tcp |
| US | 8.8.8.8:53 | 132.205.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.211.67.172.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | communicationgenerwo.shop | udp |
| US | 172.67.166.251:443 | communicationgenerwo.shop | tcp |
| US | 8.8.8.8:53 | productivelookewr.shop | udp |
| US | 104.21.11.250:443 | productivelookewr.shop | tcp |
| DE | 185.172.128.33:8970 | tcp | |
| US | 8.8.8.8:53 | pillowbrocccolipe.shop | udp |
| US | 104.21.47.56:443 | pillowbrocccolipe.shop | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.166.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 250.11.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tolerateilusidjukl.shop | udp |
| US | 172.67.147.41:443 | tolerateilusidjukl.shop | tcp |
| US | 8.8.8.8:53 | shatterbreathepsw.shop | udp |
| US | 104.21.95.19:443 | shatterbreathepsw.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 56.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.147.67.172.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | shortsvelventysjo.shop | udp |
| US | 172.67.216.69:443 | shortsvelventysjo.shop | tcp |
| US | 8.8.8.8:53 | 19.95.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | file-host-host0.com | udp |
| RU | 185.215.113.67:26260 | tcp | |
| RU | 194.87.210.219:80 | file-host-host0.com | tcp |
| US | 8.8.8.8:53 | incredibleextedwj.shop | udp |
| US | 104.21.86.106:443 | incredibleextedwj.shop | tcp |
| US | 8.8.8.8:53 | 69.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.210.87.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alcojoldwograpciw.shop | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 172.67.157.23:443 | alcojoldwograpciw.shop | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | liabilitynighstjsko.shop | udp |
| FR | 52.143.157.84:80 | 52.143.157.84 | tcp |
| US | 104.21.44.3:443 | liabilitynighstjsko.shop | tcp |
| US | 8.8.8.8:53 | 106.86.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.157.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | parrotflight.com | udp |
| US | 104.21.84.71:443 | parrotflight.com | tcp |
| US | 8.8.8.8:53 | 84.157.143.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.84.21.104.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | demonstationfukewko.shop | udp |
| US | 172.67.147.169:443 | demonstationfukewko.shop | tcp |
| US | 8.8.8.8:53 | 3.44.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 169.147.67.172.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | junglethomas.com | udp |
| US | 172.67.197.33:443 | junglethomas.com | tcp |
| US | 8.8.8.8:53 | 33.197.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | note.padd.cn.com | udp |
| RO | 176.97.76.106:80 | note.padd.cn.com | tcp |
| US | 8.8.8.8:53 | palmeventeryjusk.shop | udp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 172.67.155.93:443 | palmeventeryjusk.shop | tcp |
| US | 8.8.8.8:53 | 106.76.97.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | entitlementappwo.shop | udp |
| US | 104.21.75.133:443 | entitlementappwo.shop | tcp |
| US | 8.8.8.8:53 | economicscreateojsu.shop | udp |
| US | 172.67.145.57:443 | economicscreateojsu.shop | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.155.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.75.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pushjellysingeywus.shop | udp |
| US | 104.21.70.22:443 | pushjellysingeywus.shop | tcp |
| US | 8.8.8.8:53 | absentconvicsjawun.shop | udp |
| US | 172.67.135.202:443 | absentconvicsjawun.shop | tcp |
| US | 8.8.8.8:53 | 57.145.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.70.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | suitcaseacanehalk.shop | udp |
| US | 172.67.214.60:443 | suitcaseacanehalk.shop | tcp |
| US | 8.8.8.8:53 | bordersoarmanusjuw.shop | udp |
| US | 8.8.8.8:53 | 202.135.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 60.214.67.172.in-addr.arpa | udp |
| US | 104.21.9.123:443 | bordersoarmanusjuw.shop | tcp |
| US | 8.8.8.8:53 | mealplayerpreceodsju.shop | udp |
| US | 104.21.22.58:443 | mealplayerpreceodsju.shop | tcp |
| US | 8.8.8.8:53 | 123.9.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.22.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wifeplasterbakewis.shop | udp |
| US | 172.67.196.237:443 | wifeplasterbakewis.shop | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 237.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| DE | 185.172.128.62:80 | 185.172.128.62 | tcp |
| US | 8.8.8.8:53 | 62.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.251:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 251.2.93.185.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| RU | 91.215.85.66:15647 | tcp | |
| US | 8.8.8.8:53 | 66.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 145.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 611754b6-1b3d-4670-8515-e2e2d73538b3.uuid.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | server5.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BE | 108.177.15.127:19302 | stun1.l.google.com | udp |
| BG | 185.82.216.108:443 | server5.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 127.15.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server5.databaseupgrade.ru | tcp |
Files
memory/1584-0-0x00000000005F0000-0x0000000000AAB000-memory.dmp
memory/1584-1-0x0000000077574000-0x0000000077576000-memory.dmp
memory/1584-2-0x00000000005F0000-0x0000000000AAB000-memory.dmp
memory/1584-9-0x0000000005020000-0x0000000005021000-memory.dmp
memory/1584-8-0x0000000004FD0000-0x0000000004FD1000-memory.dmp
memory/1584-7-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
memory/1584-6-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
memory/1584-5-0x0000000005030000-0x0000000005031000-memory.dmp
memory/1584-4-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/1584-3-0x0000000005000000-0x0000000005001000-memory.dmp
memory/1584-11-0x0000000005040000-0x0000000005041000-memory.dmp
memory/1584-10-0x0000000005050000-0x0000000005051000-memory.dmp
memory/1584-16-0x00000000005F0000-0x0000000000AAB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | 53e7a4369152d6d5ec3bd0e1d69d6b3b |
| SHA1 | 94a8527f7f9e19bd609cb6f15ce3ed8363b2f4c6 |
| SHA256 | b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c |
| SHA512 | b68b8c057bea204ecada99817bf2fb4d64d7a00d21c9bffcd01e6aa96851bf834154c8d3531b1369b7465831bf54b04f3a8aacd952a3bf6f1da3ac5cd813050f |
memory/3616-19-0x0000000000CF0000-0x00000000011AB000-memory.dmp
memory/3616-20-0x0000000000CF0000-0x00000000011AB000-memory.dmp
memory/3616-27-0x00000000053A0000-0x00000000053A1000-memory.dmp
memory/3616-26-0x0000000005350000-0x0000000005351000-memory.dmp
memory/3616-25-0x0000000005360000-0x0000000005361000-memory.dmp
memory/3616-24-0x0000000005340000-0x0000000005341000-memory.dmp
memory/3616-23-0x00000000053B0000-0x00000000053B1000-memory.dmp
memory/3616-22-0x0000000005370000-0x0000000005371000-memory.dmp
memory/3616-21-0x0000000005380000-0x0000000005381000-memory.dmp
memory/3616-29-0x00000000053C0000-0x00000000053C1000-memory.dmp
memory/3616-28-0x00000000053D0000-0x00000000053D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
| MD5 | 1c7d0f34bb1d85b5d2c01367cc8f62ef |
| SHA1 | 33aedadb5361f1646cffd68791d72ba5f1424114 |
| SHA256 | e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c |
| SHA512 | 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d |
memory/984-49-0x0000000000100000-0x0000000000152000-memory.dmp
memory/984-50-0x0000000073180000-0x0000000073930000-memory.dmp
memory/4036-53-0x0000000000400000-0x000000000044C000-memory.dmp
memory/4036-56-0x0000000000400000-0x000000000044C000-memory.dmp
memory/984-57-0x00000000024F0000-0x00000000044F0000-memory.dmp
memory/4036-58-0x0000000000400000-0x000000000044C000-memory.dmp
memory/984-59-0x0000000073180000-0x0000000073930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
| MD5 | 31841361be1f3dc6c2ce7756b490bf0f |
| SHA1 | ff2506641a401ac999f5870769f50b7326f7e4eb |
| SHA256 | 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee |
| SHA512 | 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019 |
memory/4352-76-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
| MD5 | 0c582da789c91878ab2f1b12d7461496 |
| SHA1 | 238bd2408f484dd13113889792d6e46d6b41c5ba |
| SHA256 | a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67 |
| SHA512 | a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a |
C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
| MD5 | 20ae0bb07ba77cb3748aa63b6eb51afb |
| SHA1 | 87c468dc8f3d90a63833d36e4c900fa88d505c6d |
| SHA256 | daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d |
| SHA512 | db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2 |
memory/1600-98-0x00000000000E0000-0x0000000000132000-memory.dmp
memory/1600-109-0x0000000004A70000-0x0000000004B02000-memory.dmp
memory/1600-99-0x0000000004F80000-0x0000000005524000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
| MD5 | b22521fb370921bb5d69bf8deecce59e |
| SHA1 | 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea |
| SHA256 | b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158 |
| SHA512 | 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c |
memory/1600-114-0x0000000004A10000-0x0000000004A1A000-memory.dmp
memory/4932-119-0x0000000000400000-0x000000000044E000-memory.dmp
memory/4932-120-0x0000000000400000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp6A43.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1380-124-0x0000000000170000-0x0000000000230000-memory.dmp
memory/1600-138-0x0000000005630000-0x00000000056A6000-memory.dmp
memory/1600-139-0x0000000005E40000-0x0000000005E5E000-memory.dmp
memory/1600-142-0x00000000066C0000-0x0000000006CD8000-memory.dmp
memory/1600-144-0x0000000006150000-0x0000000006162000-memory.dmp
memory/1600-145-0x00000000061B0000-0x00000000061EC000-memory.dmp
memory/1600-143-0x0000000006210000-0x000000000631A000-memory.dmp
memory/1600-146-0x0000000006320000-0x000000000636C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
| MD5 | 0099a99f5ffb3c3ae78af0084136fab3 |
| SHA1 | 0205a065728a9ec1133e8a372b1e3864df776e8c |
| SHA256 | 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226 |
| SHA512 | 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6 |
C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
| MD5 | 8510bcf5bc264c70180abe78298e4d5b |
| SHA1 | 2c3a2a85d129b0d750ed146d1d4e4d6274623e28 |
| SHA256 | 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6 |
| SHA512 | 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d |
C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
| MD5 | 73f40e4d6b322bf4d7c8b18d120af5c7 |
| SHA1 | 533e7400d1264fe8fb740366e700c035224f83d1 |
| SHA256 | 9317408100896c9251defb1a2f2cfca2627ac72dce9f4d7f0d5c3bfdc736e179 |
| SHA512 | c1e2e2cfa9dc2f829c7bdda1af9dd432a19ff8f3818a1a3ad1b73d6f08f666cbf5cbfb6573e75a7cb0b5288aeccfda6927e5723337a0e822b892fb1d6f280260 |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-540404634-651139247-2967210625-1000\76b53b3ec448f7ccdda2063b15d2bfc3_41e50f4a-4a76-42e1-a3df-51306e426307
| MD5 | 1d5bcd3abe7a46ab80b1c0c7e76cd8c0 |
| SHA1 | 515cff2c1e0b4e97e470877ebffa0bb647104b06 |
| SHA256 | 08d46dd1c5b042bec178632f41555a48656660c547cbe6508b92ce7bfe08ce09 |
| SHA512 | 747baa626e19fac52d89375b4951ff63660d111536e964143e1bb2d843435e84ef662c8f01e15a7dab48ee051feacdef3541a0bde4ea78c5bb00c4b93d851c0a |
memory/1380-205-0x000000001D340000-0x000000001D3B6000-memory.dmp
memory/2280-216-0x00000000000C0000-0x0000000000112000-memory.dmp
C:\Users\Public\Desktop\Microsoft Edge.lnk
| MD5 | 0967db99065ce852e9b1aa28b56cdba5 |
| SHA1 | 14d3cd1a5541b510f633deea2302ec99e3394f45 |
| SHA256 | 81019b7750f1f99805d98271db44c52005063ed2d7a4417c37f2344dfc6a3c33 |
| SHA512 | 64c95c5e6d80486699e8d45387772c506aaab24438d9d9daa67752ea4870393b29de3ada1bce348b6acea353240634ab2340f72f30bd5b35657309eaa5eaeafc |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | db32be56ec11d851d5110ba3d82b7f4e |
| SHA1 | b68abcf02691b0ed6c94283ba9d02cdfe9fb4521 |
| SHA256 | 1f55af67bdd8832187ef4a5d582fa78cb967a2cc7f8025a3e0c84a24c076d7ed |
| SHA512 | eccf7539f939e32000557ac6a7742d58f704ee3e49fb8c30742d83233bad9438c71afcae2cf89ceafa858c8ee07a8e4f83f4676a0af9e086ab74a560cf1c8f3d |
memory/1380-219-0x000000001BFB0000-0x000000001BFCE000-memory.dmp
memory/1380-244-0x000000001BBC0000-0x000000001BDDC000-memory.dmp
C:\Users\Public\Desktop\Microsoft Edge.lnk
| MD5 | f96fcb15806908bfb4f0e7f82f6d9985 |
| SHA1 | 6153248783e11de1637e6c98af64f251d471e8ae |
| SHA256 | 81c3d3eedff493979a8966002fc6537e3c610d46f75d21f1b1073137b4486332 |
| SHA512 | 4a1d3c3377ba4acb74387941955108db8c401e748f5f19352eff1d0eb951f053408dc20af38acb37517bdcb67b59bdfc41fd31d1f954b2b0826aaef0056d48e5 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | eff701b29dfa0eb5787c20cdb6fe7436 |
| SHA1 | 4c9f3d195a36cb0d28ccc13ed7d1e643763d1fd3 |
| SHA256 | 52bf8f24a8d9e9c646163b17aa341cf387af9e23b9a7f6ed7456802a6a1855d2 |
| SHA512 | 4700e23c46e0bcddef4400158f0a1a6accc011455527bc194a148d5615794e8c99ed57e3cfea4f956f0b6e0e2e3c54a9da1506549de6d455429e43cece280b1d |
C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
| MD5 | 586f7fecacd49adab650fae36e2db994 |
| SHA1 | 35d9fb512a8161ce867812633f0a43b042f9a5e6 |
| SHA256 | cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e |
| SHA512 | a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772 |
memory/3616-259-0x0000000000CF0000-0x00000000011AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
| MD5 | 2c8f5e7a9e670c3850b2de0d2f3758b2 |
| SHA1 | 42409c886411ce73c1d6f07bbae47bf8f2db713c |
| SHA256 | bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce |
| SHA512 | 1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454 |
memory/4500-279-0x0000000000190000-0x00000000001BE000-memory.dmp
memory/660-286-0x0000000000400000-0x000000000063B000-memory.dmp
memory/660-282-0x0000000000400000-0x000000000063B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe
| MD5 | 24dd75b0a7bb9a0e0918ee0dd84a581a |
| SHA1 | de796b237488df3d26a99aa8a78098c010aeb2c9 |
| SHA256 | 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d |
| SHA512 | 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557 |
memory/1600-316-0x0000000006460000-0x00000000064C6000-memory.dmp
memory/4356-314-0x0000000000400000-0x0000000002AF3000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll
| MD5 | f35b671fda2603ec30ace10946f11a90 |
| SHA1 | 059ad6b06559d4db581b1879e709f32f80850872 |
| SHA256 | 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7 |
| SHA512 | b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705 |
C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
| MD5 | 6ed714c1a56743f32ed097b0b79e1be2 |
| SHA1 | dc6cd1493016221d853ba8cb84623aee5fc7fde1 |
| SHA256 | 18cbd445ca637b452e9ca89911ab9b30f0adf60a35c2569a42ae13dcd5a44bf9 |
| SHA512 | a1a6a1abda4504859b0a0c21bf2e41485c608a01038f207c6636bf191cc824cbe9ce2fd02e247737e32904e5b89b2b88830af3daf024d8da8d5fbf7521e1005c |
C:\Users\Admin\AppData\Local\Temp\u3kc.0.exe
| MD5 | 3b577ad55734b8ab5e8362c15fdcb327 |
| SHA1 | 5ce0b10cc6ad018ff59a28da1ca2b43608742ee6 |
| SHA256 | 2c1f6bfc7bd1e82f941ca19a108bc7bc455b1d140becddd151d6f9c119104ad6 |
| SHA512 | ec2178ba7b47b7be8bc41f4f46aca4fd5259631c89084b3f1ef56d7564fe0a42c48fb774b8ad22ee6c95bb01bea0a010460d5effa6d3635d3b94b7f780eb1791 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d5loz4zj.4lt.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2580-382-0x000001C39C5D0000-0x000001C39C5F2000-memory.dmp
memory/660-383-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1620-399-0x0000000002130000-0x0000000002181000-memory.dmp
C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll
| MD5 | 154c3f1334dd435f562672f2664fea6b |
| SHA1 | 51dd25e2ba98b8546de163b8f26e2972a90c2c79 |
| SHA256 | 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f |
| SHA512 | 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841 |
memory/3616-430-0x0000000000CF0000-0x00000000011AB000-memory.dmp
memory/1620-432-0x0000000000400000-0x00000000005C4000-memory.dmp
memory/3616-433-0x0000000000CF0000-0x00000000011AB000-memory.dmp
memory/4620-431-0x0000000000400000-0x0000000002B1F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3kc.1.zip
| MD5 | 78d3ca6355c93c72b494bb6a498bf639 |
| SHA1 | 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e |
| SHA256 | a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001 |
| SHA512 | 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea |
C:\Users\Admin\AppData\Local\Temp\u3kc.2\run.exe
| MD5 | 9fb4770ced09aae3b437c1c6eb6d7334 |
| SHA1 | fe54b31b0db8665aa5b22bed147e8295afc88a03 |
| SHA256 | a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3 |
| SHA512 | 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256 |
memory/1600-508-0x00000000070E0000-0x0000000007130000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3kc.2\relay.dll
| MD5 | 10d51becd0bbce0fab147ff9658c565e |
| SHA1 | 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a |
| SHA256 | 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed |
| SHA512 | 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29 |
C:\Users\Admin\AppData\Local\Temp\u3kc.2\bunch.dat
| MD5 | 1e8237d3028ab52821d69099e0954f97 |
| SHA1 | 30a6ae353adda0c471c6ed5b7a2458b07185abf2 |
| SHA256 | 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742 |
| SHA512 | a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3 |
C:\Users\Admin\AppData\Local\Temp\u3kc.2\whale.dbf
| MD5 | a723bf46048e0bfb15b8d77d7a648c3e |
| SHA1 | 8952d3c34e9341e4425571e10f22b782695bb915 |
| SHA256 | b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422 |
| SHA512 | ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273 |
memory/4100-523-0x000000006B920000-0x000000006BA9B000-memory.dmp
memory/4100-524-0x00007FFC72970000-0x00007FFC72B65000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3kc.2\UIxMarketPlugin.dll
| MD5 | d1ba9412e78bfc98074c5d724a1a87d6 |
| SHA1 | 0572f98d78fb0b366b5a086c2a74cc68b771d368 |
| SHA256 | cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15 |
| SHA512 | 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f |
memory/2580-534-0x000001C39C780000-0x000001C39C78A000-memory.dmp
memory/2580-533-0x000001C39C9C0000-0x000001C39C9D2000-memory.dmp
memory/552-543-0x0000000004540000-0x0000000004576000-memory.dmp
memory/552-544-0x0000000004C40000-0x0000000005268000-memory.dmp
memory/552-546-0x0000000005410000-0x0000000005476000-memory.dmp
memory/552-545-0x0000000005370000-0x0000000005392000-memory.dmp
memory/552-556-0x00000000054F0000-0x0000000005844000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3kc.3.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/552-568-0x0000000005B10000-0x0000000005B2E000-memory.dmp
memory/1620-573-0x0000000002130000-0x0000000002181000-memory.dmp
memory/4620-579-0x0000000000400000-0x0000000002B1F000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/552-602-0x000000006B340000-0x000000006B694000-memory.dmp
memory/552-601-0x000000006FE50000-0x000000006FE9C000-memory.dmp
memory/552-600-0x0000000006CE0000-0x0000000006D12000-memory.dmp
memory/552-612-0x0000000006D20000-0x0000000006D3E000-memory.dmp
memory/552-613-0x0000000006D80000-0x0000000006E23000-memory.dmp
memory/552-615-0x00000000074E0000-0x0000000007B5A000-memory.dmp
memory/3616-616-0x0000000000CF0000-0x00000000011AB000-memory.dmp
memory/552-618-0x0000000006EA0000-0x0000000006EBA000-memory.dmp
memory/4828-617-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/552-619-0x0000000006F10000-0x0000000006F1A000-memory.dmp
memory/552-620-0x0000000007120000-0x00000000071B6000-memory.dmp
memory/2280-621-0x0000000007430000-0x00000000075F2000-memory.dmp
memory/2280-622-0x00000000082A0000-0x00000000087CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4a0c0478
| MD5 | 87e05d323b35f759f206da600951177e |
| SHA1 | abe923092c8ac0627bc5ff58259fa44f03420045 |
| SHA256 | ceb8c30980c9826fecbdb6122ca2fea76d4d06028f1dc9bbc2952b025046f649 |
| SHA512 | 1909c3fafbf6a89734597597879f463d3e80c8f781721d44219fbd98d5a89e2a963c2edd27e465fabef2184b512a743d0f4161aece55b2f6d837244beef852c4 |
memory/552-624-0x0000000007090000-0x00000000070A1000-memory.dmp
memory/4100-623-0x000000006B920000-0x000000006BA9B000-memory.dmp
memory/552-627-0x00000000070C0000-0x00000000070CE000-memory.dmp
memory/552-628-0x00000000070D0000-0x00000000070E4000-memory.dmp
memory/552-629-0x00000000071C0000-0x00000000071DA000-memory.dmp
memory/552-630-0x0000000007100000-0x0000000007108000-memory.dmp
memory/4828-634-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/3836-637-0x00007FFC72970000-0x00007FFC72B65000-memory.dmp
memory/3856-648-0x0000000000400000-0x0000000002AFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 106b185ef6775dee7462a59318ba2ed4 |
| SHA1 | 26a3d57280b832abfbf2ec8e6f9f1c36d6128348 |
| SHA256 | bf7d2168a89772ca36aca5a682a64f9f900bf138606156d9afa6330e73e751c4 |
| SHA512 | 301e6e9daafc38e55b1bd32b1bc0f3aa01f391c63d245e70355c0851fb51a80d10e440047973472840d20d850aac70811ab6e33ef10cefb6d22ec9f53e92dbac |
memory/3856-656-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\ProgramData\HJJECBKK
| MD5 | 079a696bcf1d85d290ea94324f8fea01 |
| SHA1 | 15819c37e62568756e0c64af555b19c36f2b03c9 |
| SHA256 | 97adfff767fb00f67212b0e36ade8d75f97f1e3619e1658193003e306d8a1afa |
| SHA512 | 7ffd8f6f23838beaa4ef4dbfce8347fb8725089e4271d8a2699c19ac5a42fb3868122d39fe0e13a6f132160934a81fe2c41c7d679f1236ad3c0f85b177ba0b65 |
C:\ProgramData\CAFBGDHC
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\ProgramData\freebl3.dll
| MD5 | c8137aed8c92dccdb9b24462831bfdbf |
| SHA1 | 80b3c17aad575db77c6affc53bb1d73b267e470b |
| SHA256 | 55bbe2d98c2ed8a1a269ff7012402cfb0831484710b459457454c734d5279489 |
| SHA512 | 36690911017cf2297ab992bc1cdb32ffd84354eae808b59162e2a83d9371bfb0772e135554c60b4d527eb114550c4ce7889f64f88817d7c0269d169823c6058c |
memory/3616-690-0x0000000000CF0000-0x00000000011AB000-memory.dmp
memory/536-692-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/3856-691-0x0000000000400000-0x0000000002AFA000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | d75a4288dd7c1830943144efc22ada96 |
| SHA1 | ad511f65e8ba26972da764571d8a74f6accf0004 |
| SHA256 | ea6c7b31d79e3b448ac77f2a7849d616d7f9f61b629c7949315564ff515021cd |
| SHA512 | d7b69aa2084a2eb1227b71c13325d81e2922c6d74667646942b575c6627584bf44c88663fffee10c29553542c1992f95055062c567bf2e4fa03118158d0c417e |
memory/3836-697-0x000000006B920000-0x000000006BA9B000-memory.dmp
memory/3616-698-0x0000000000CF0000-0x00000000011AB000-memory.dmp
memory/3856-699-0x0000000000400000-0x0000000002AFA000-memory.dmp
memory/1888-703-0x0000000069E20000-0x000000006B074000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 7075828d6c0153682ea0d4f30f3172e5 |
| SHA1 | d22a0c644178c0501df7f15252beb607b2b35356 |
| SHA256 | 75bf5961379b0699149e30585a5fcfd940e3c602914bc9a1ee308d34db6cc1da |
| SHA512 | becd98c759bf0a32c00ee9db2d9cdcf0da5f3d2889cb60f4c8e9a65fb10fa7dca2d05db5d3cae0e25bf9f7c2e5ec92aad5e78f9f8dea6de70db45cb38b69b7bd |
memory/536-716-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4036-717-0x0000019238AB0000-0x000001923C3A8000-memory.dmp
memory/4036-718-0x0000019257B60000-0x0000019257C70000-memory.dmp
memory/4036-720-0x000001923DFD0000-0x000001923DFDC000-memory.dmp
memory/4036-719-0x000001923DFB0000-0x000001923DFC0000-memory.dmp
memory/4036-721-0x000001923DFC0000-0x000001923DFD4000-memory.dmp
memory/4036-722-0x0000019257910000-0x0000019257934000-memory.dmp
memory/2296-723-0x0000000006080000-0x00000000063D4000-memory.dmp
C:\ProgramData\msvcp140.dll
| MD5 | 513432ca71353833b1bad5786607ca02 |
| SHA1 | 8a59f7fbff4b4c7cedff9cc12f6c34c0e5f41504 |
| SHA256 | 88fcbe1b2929df055f2be2369efb95a6a90704d5e755d2050959a64f32c517d9 |
| SHA512 | aa8b16ec2986e74136c814fe707d74edad5ec93840c172f1eb449e5e1b8db7da5c59cb0de6f1403914c0439319257de7017171ed26b4e84e9f0be43a510864ca |
memory/4884-737-0x0000000000400000-0x0000000002EDD000-memory.dmp
memory/1888-738-0x0000000000B00000-0x0000000000BC6000-memory.dmp
memory/4036-741-0x00000192579A0000-0x0000019257A52000-memory.dmp
memory/4036-740-0x0000019257930000-0x000001925795A000-memory.dmp
memory/4036-739-0x000001923DF80000-0x000001923DF8A000-memory.dmp
memory/4036-743-0x0000019257E30000-0x0000019257E92000-memory.dmp
memory/1888-744-0x0000000005060000-0x000000000506A000-memory.dmp
memory/4036-742-0x0000019257DB0000-0x0000019257E2A000-memory.dmp
memory/4036-745-0x000001923DF90000-0x000001923DF9A000-memory.dmp
memory/2296-747-0x000000006BC50000-0x000000006BFA4000-memory.dmp
memory/4036-761-0x0000019257F90000-0x0000019258290000-memory.dmp
memory/2296-757-0x00000000078A0000-0x0000000007943000-memory.dmp
memory/2296-746-0x000000006FE50000-0x000000006FE9C000-memory.dmp
memory/4036-766-0x000001925C940000-0x000001925C948000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | f363f0d6e9230c8b039f91187307d0ec |
| SHA1 | 828335e1f1601754f032bce2700c56c87d0c1783 |
| SHA256 | 670b9396d0eca4d086cc01d1aa1790f28b0c86c635304300616061b4b9f9d3e4 |
| SHA512 | 4ce87c08908624af24171e3e0a7ad48fb9dc46c0d831d9cc81fc889fbb018fe27cc4161edf75f4180ed15a32c8ec2ac189391e7f624ca0177de7bb740b46ff12 |
memory/4036-771-0x000001925BE50000-0x000001925BE5E000-memory.dmp
memory/4036-770-0x000001925BE80000-0x000001925BEB8000-memory.dmp
memory/2296-769-0x0000000007BA0000-0x0000000007BB1000-memory.dmp
memory/4036-772-0x000001925CBE0000-0x000001925CBEA000-memory.dmp
C:\ProgramData\softokn3.dll
| MD5 | 27eb36fa1707297feff5ea7b4ef57eb3 |
| SHA1 | b92923a04fe709b0a988a28599fb0b8c22fc7a4d |
| SHA256 | 89b223f9095a6f018b05499e1fde07275d567462d720aa3c454ddc5d6325c2d9 |
| SHA512 | 01950eb1d4e5bef997f9d72b4552839bc9e9413a7ae9e2bf2bbf8b6b479e4ad853da27c18c0f5da909a91ace842e04848c42659d05231591b6f4cdf5e89a8957 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\ProgramData\vcruntime140.dll
| MD5 | 24a1064c29865c39c55cbf9dc9b4f322 |
| SHA1 | 1368e2a81f7595683d628bf4c5241847acac3417 |
| SHA256 | 4095f5926b3296aff4af06c9b6787250f912da05f4d589d35924038c0e3fa7ef |
| SHA512 | 244a112641f8e0ccff1c7ff342a76b0aaca8c2cc133eab29dc8941a812fca84dc6418d5f15569a00ffc023402dbcc8cdf2fe2a0c5fb288d50d862ceb2669df99 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 84e046377e05cd1544333eb995d6b9d0 |
| SHA1 | 33e064e3e097f85a73473d1e891836d9f82080e4 |
| SHA256 | 56e2d019b030829a7dfadfa7e8d7d4a7b3ffcfb5bc7efcbc2103321f14d11a47 |
| SHA512 | 873ad80198466ff0f97f9875a7b43ed83cffa1ed97a802213cecee2da104c9dd59215f377dc9de964d7eb31caea360e00ac2bf484fed4f617ce40babe160d8df |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a71dbdaee9684ef7c89cf8ccc6821e51 |
| SHA1 | d95a8f59f5e62e188828aa799876f6c38c79539c |
| SHA256 | 755427e78ac8b4d5ea767a2751bc96e66e6e4478f92f9356d91b3734fd2880d3 |
| SHA512 | 5592381006ef61cf7d316e1c793aa82293d815692402da800e36ef1338fa99354f76d2f029d67731dcdbb77fb8d83bbdc13f4f745466e38d8deb488244d737c3 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-27 14:50
Reported
2024-04-27 14:53
Platform
win11-20240419-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\chrosha.job | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe
"C:\Users\Admin\AppData\Local\Temp\b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c.exe"
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
Network
| Country | Destination | Domain | Proto |
| RU | 193.233.132.167:80 | tcp | |
| RU | 193.233.132.167:80 | tcp | |
| RU | 193.233.132.167:80 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 193.233.132.167:80 | tcp | |
| RU | 193.233.132.167:80 | tcp | |
| RU | 193.233.132.167:80 | tcp | |
| RU | 193.233.132.167:80 | tcp |
Files
memory/3416-0-0x0000000000990000-0x0000000000E4B000-memory.dmp
memory/3416-1-0x0000000077056000-0x0000000077058000-memory.dmp
memory/3416-2-0x0000000000990000-0x0000000000E4B000-memory.dmp
memory/3416-4-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/3416-7-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/3416-6-0x0000000004B50000-0x0000000004B51000-memory.dmp
memory/3416-5-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/3416-3-0x0000000004B80000-0x0000000004B81000-memory.dmp
memory/3416-10-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
memory/3416-9-0x0000000004BE0000-0x0000000004BE1000-memory.dmp
memory/3416-15-0x0000000000990000-0x0000000000E4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe
| MD5 | 53e7a4369152d6d5ec3bd0e1d69d6b3b |
| SHA1 | 94a8527f7f9e19bd609cb6f15ce3ed8363b2f4c6 |
| SHA256 | b5e6ad9136632faa695b71c4efc2618427660998feb6a0eeae97ed289452b87c |
| SHA512 | b68b8c057bea204ecada99817bf2fb4d64d7a00d21c9bffcd01e6aa96851bf834154c8d3531b1369b7465831bf54b04f3a8aacd952a3bf6f1da3ac5cd813050f |
memory/3328-18-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-19-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-20-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
memory/3328-25-0x0000000004D90000-0x0000000004D91000-memory.dmp
memory/3328-24-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/3328-23-0x0000000004DE0000-0x0000000004DE1000-memory.dmp
memory/3328-22-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/3328-21-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
memory/3328-26-0x0000000004E10000-0x0000000004E11000-memory.dmp
memory/3328-27-0x0000000004E00000-0x0000000004E01000-memory.dmp
memory/3328-28-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-29-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-30-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-31-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-32-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-33-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-34-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-35-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-36-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-37-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-38-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-39-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-40-0x0000000000320000-0x00000000007DB000-memory.dmp
memory/3328-41-0x0000000000320000-0x00000000007DB000-memory.dmp