Malware Analysis Report

2024-12-08 01:40

Sample ID 240427-tf4wmadd5w
Target d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
SHA256 d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
Tags
amadey glupteba lumma redline sectoprat stealc zgrat @cloudytteam test1234 discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876

Threat Level: Known bad

The file d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876 was found to be: Known bad.

Malicious Activity Summary

amadey glupteba lumma redline sectoprat stealc zgrat @cloudytteam test1234 discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx

RedLine

Glupteba

Amadey

ZGRat

SectopRAT

RedLine payload

SectopRAT payload

Detect ZGRat V1

Glupteba payload

Stealc

Lumma Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Blocklisted process makes network request

Downloads MZ/PE file

Reads data files stored by FTP clients

Reads WinSCP keys stored on the system

Reads local data of messenger clients

Identifies Wine through registry keys

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

UPX packed file

Loads dropped DLL

Checks BIOS information in registry

Checks installed software on the system

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 16:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 16:00

Reported

2024-04-27 16:03

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u1as.3.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1as.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1as.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1as.3.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1as.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1as.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3244 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 3244 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 3244 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 3756 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3756 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3244 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 3244 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 3244 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1576 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4892 wrote to memory of 3364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 4892 wrote to memory of 3364 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 4892 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 4892 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 4892 wrote to memory of 3628 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 3244 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 3244 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 3244 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4760 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3244 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 3244 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 3244 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 3820 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 3820 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 3820 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 3244 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 3244 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 3244 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 3820 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 3820 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 3820 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 3244 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 3244 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 3244 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 3820 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
PID 3820 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
PID 3820 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
PID 4180 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4180 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4180 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe

"C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3756 -ip 3756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 888

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1576 -ip 1576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 360

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4760 -ip 4760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 368

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 408 -ip 408

C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe

"C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 352

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\u1as.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1as.0.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\162180587977_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u1as.3.exe

"C:\Users\Admin\AppData\Local\Temp\u1as.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1684 -ip 1684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 1424

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 2304

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 172.67.181.34:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 cleartotalfisherwo.shop udp
US 172.67.185.32:443 cleartotalfisherwo.shop tcp
US 8.8.8.8:53 34.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 worryfillvolcawoi.shop udp
US 104.21.44.125:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 enthusiasimtitleow.shop udp
US 172.67.183.226:443 enthusiasimtitleow.shop tcp
US 8.8.8.8:53 32.185.67.172.in-addr.arpa udp
US 8.8.8.8:53 dismissalcylinderhostw.shop udp
US 104.21.22.160:443 dismissalcylinderhostw.shop tcp
US 8.8.8.8:53 diskretainvigorousiw.shop udp
US 172.67.211.165:443 diskretainvigorousiw.shop tcp
US 8.8.8.8:53 125.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 226.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 160.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 165.211.67.172.in-addr.arpa udp
US 8.8.8.8:53 communicationgenerwo.shop udp
US 172.67.166.251:443 communicationgenerwo.shop tcp
US 8.8.8.8:53 pillowbrocccolipe.shop udp
US 104.21.47.56:443 pillowbrocccolipe.shop tcp
US 8.8.8.8:53 251.166.67.172.in-addr.arpa udp
US 8.8.8.8:53 56.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 productivelookewr.shop udp
US 104.21.11.250:443 productivelookewr.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.33:8970 tcp
US 8.8.8.8:53 tolerateilusidjukl.shop udp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 250.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 41.147.67.172.in-addr.arpa udp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 shatterbreathepsw.shop udp
US 172.67.169.43:443 shatterbreathepsw.shop tcp
US 8.8.8.8:53 shortsvelventysjo.shop udp
US 172.67.216.69:443 shortsvelventysjo.shop tcp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 43.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 69.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 incredibleextedwj.shop udp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 8.8.8.8:53 alcojoldwograpciw.shop udp
US 8.8.8.8:53 file-host-host0.com udp
US 172.67.157.23:443 alcojoldwograpciw.shop tcp
RU 185.215.113.67:26260 tcp
RU 194.87.210.219:80 file-host-host0.com tcp
US 8.8.8.8:53 63.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 liabilitynighstjsko.shop udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 demonstationfukewko.shop udp
US 104.21.33.174:443 demonstationfukewko.shop tcp
US 8.8.8.8:53 23.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 219.210.87.194.in-addr.arpa udp
US 8.8.8.8:53 67.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.44.21.104.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 parrotflight.com udp
US 104.21.84.71:443 parrotflight.com tcp
FR 52.143.157.84:80 52.143.157.84 tcp
US 8.8.8.8:53 174.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 71.84.21.104.in-addr.arpa udp
US 8.8.8.8:53 84.157.143.52.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 junglethomas.com udp
US 172.67.197.33:443 junglethomas.com tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 8.8.8.8:53 33.197.67.172.in-addr.arpa udp
US 8.8.8.8:53 106.76.97.176.in-addr.arpa udp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.62:80 185.172.128.62 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 62.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 palmeventeryjusk.shop udp
US 172.67.155.93:443 palmeventeryjusk.shop tcp
US 8.8.8.8:53 93.155.67.172.in-addr.arpa udp
US 8.8.8.8:53 entitlementappwo.shop udp
US 172.67.177.73:443 entitlementappwo.shop tcp
US 8.8.8.8:53 economicscreateojsu.shop udp
US 104.21.47.60:443 economicscreateojsu.shop tcp
US 8.8.8.8:53 73.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 60.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 pushjellysingeywus.shop udp
US 104.21.70.22:443 pushjellysingeywus.shop tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 absentconvicsjawun.shop udp
US 104.21.26.86:443 absentconvicsjawun.shop tcp
US 8.8.8.8:53 22.70.21.104.in-addr.arpa udp
US 8.8.8.8:53 suitcaseacanehalk.shop udp
US 172.67.214.60:443 suitcaseacanehalk.shop tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 86.26.21.104.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 60.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 bordersoarmanusjuw.shop udp
US 172.67.189.66:443 bordersoarmanusjuw.shop tcp
US 8.8.8.8:53 mealplayerpreceodsju.shop udp
US 104.21.22.58:443 mealplayerpreceodsju.shop tcp
US 8.8.8.8:53 66.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 58.22.21.104.in-addr.arpa udp
US 8.8.8.8:53 wifeplasterbakewis.shop udp
US 104.21.52.82:443 wifeplasterbakewis.shop tcp
US 8.8.8.8:53 82.52.21.104.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:443 download.iolo.net tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
RU 91.215.85.66:15647 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 66.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 150.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 112.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 d6f79da4-520d-4aae-bb7c-00a81ef0907d.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 server1.databaseupgrade.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp
US 8.8.8.8:53 stun3.l.google.com udp
IT 142.251.27.127:19302 stun3.l.google.com udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
BG 185.82.216.108:443 server1.databaseupgrade.ru tcp

Files

memory/1720-0-0x0000000000510000-0x00000000009C3000-memory.dmp

memory/1720-1-0x0000000077814000-0x0000000077816000-memory.dmp

memory/1720-2-0x0000000000510000-0x00000000009C3000-memory.dmp

memory/1720-8-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/1720-7-0x0000000004E90000-0x0000000004E91000-memory.dmp

memory/1720-6-0x0000000004E70000-0x0000000004E71000-memory.dmp

memory/1720-5-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

memory/1720-4-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/1720-3-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

memory/1720-9-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

memory/1720-15-0x0000000000510000-0x00000000009C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 73d73c48859fc7aa4fd78d9a57f859d6
SHA1 c1f71ea0692d97c653ff5a5ecbc03fd02173fe05
SHA256 d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
SHA512 f0634be539582016c03e83f3ca58d613fc16abcc0a9c320321f455234a8f2dc1c199fc52187abac5e4cbbe7b7907afdaa89813f50cbecd611f7e870ee7f8e979

memory/3244-18-0x0000000000560000-0x0000000000A13000-memory.dmp

memory/3244-19-0x0000000000560000-0x0000000000A13000-memory.dmp

memory/3244-25-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/3244-24-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/3244-23-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/3244-22-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/3244-21-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/3244-20-0x0000000004B50000-0x0000000004B51000-memory.dmp

memory/3244-26-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/3244-27-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/3756-47-0x0000000000EE0000-0x0000000000F32000-memory.dmp

memory/3756-48-0x0000000073420000-0x0000000073BD0000-memory.dmp

memory/3252-51-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3252-54-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3756-55-0x0000000003400000-0x0000000005400000-memory.dmp

memory/3252-56-0x0000000000400000-0x000000000044C000-memory.dmp

memory/3756-57-0x0000000073420000-0x0000000073BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/4892-74-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

memory/3628-96-0x00000000000C0000-0x0000000000112000-memory.dmp

memory/3628-97-0x0000000004EC0000-0x0000000005464000-memory.dmp

memory/3628-98-0x00000000049F0000-0x0000000004A82000-memory.dmp

memory/3628-108-0x0000000004B80000-0x0000000004B8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

memory/3364-110-0x0000000000FD0000-0x0000000001090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp6522.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3628-127-0x0000000005630000-0x00000000056A6000-memory.dmp

memory/4328-138-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3628-139-0x0000000006560000-0x0000000006B78000-memory.dmp

memory/3628-135-0x0000000005E20000-0x0000000005E3E000-memory.dmp

memory/4328-142-0x0000000000400000-0x000000000044E000-memory.dmp

memory/3628-143-0x0000000006190000-0x00000000061CC000-memory.dmp

memory/3628-141-0x0000000006130000-0x0000000006142000-memory.dmp

memory/3628-140-0x00000000061F0000-0x00000000062FA000-memory.dmp

memory/3628-144-0x0000000006300000-0x000000000634C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/3364-178-0x000000001CAD0000-0x000000001CB46000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\76b53b3ec448f7ccdda2063b15d2bfc3_44d43ff8-91cd-4ca7-92c9-6495b4f546fa

MD5 6aeb182185ffb46a87546f72424e6e5b
SHA1 9b11cb1d155e712fc576cd6bb580f4d653955b05
SHA256 a5df3eb114b6fa56857de3c0b78ac7f60145b5be13237b91b9311ba011626611
SHA512 704fb86f2ce27525fca367a0decb98199525c2b8f17eda8157c32d368866b6af585d0a78f469d0eb5dc35572a82b5130549d526a6dd8d11b4aa3646b965596bc

memory/3364-181-0x000000001CD70000-0x000000001CD8E000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 21c55e5a34dd4a5132bcf3175d8e66bd
SHA1 d07c26dcd9b7bdabd5f41ecc4cf6e965e58dd4c6
SHA256 701a6dd4ce9b5023c2d9d94c6933dd2f71cafbab7761fc32a0b071044f2b794d
SHA512 dd652f4c0fe475dce18d69c1e4c19453646af407e091eb4942a87000bc923f3adc4fb545f1646c04cb4fe8df63495d4a1078492afa37661cde9bbf463603efbf

C:\Users\Public\Desktop\Microsoft Edge.lnk

MD5 211fe7b0bd424865d2c7f1c03e7c7c3c
SHA1 602d49a007d6bbbf0d565b025d4e968ef2058f71
SHA256 a4776592dcf4dd9e9a44964dd56dac2fe64faafe7a8866aefe95ae73cd48089e
SHA512 140c3044e2003dbb6ac3b31d6fac1fdf9e42a9f6767d8c64b865a7a62d758bf742b1571339ba704af5071d1f16846245983fd801af33757d9a4a379c701cfe5b

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

MD5 73f40e4d6b322bf4d7c8b18d120af5c7
SHA1 533e7400d1264fe8fb740366e700c035224f83d1
SHA256 9317408100896c9251defb1a2f2cfca2627ac72dce9f4d7f0d5c3bfdc736e179
SHA512 c1e2e2cfa9dc2f829c7bdda1af9dd432a19ff8f3818a1a3ad1b73d6f08f666cbf5cbfb6573e75a7cb0b5288aeccfda6927e5723337a0e822b892fb1d6f280260

memory/2212-215-0x0000000000280000-0x00000000002D2000-memory.dmp

memory/3244-242-0x0000000000560000-0x0000000000A13000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 f8a0def113850915e7506b860e1e4f2f
SHA1 93eb04a546c34d0399d3125e13d28bb786510880
SHA256 4d6775a7ad5aeaf9dec20010ca8e3f6b870295e4d6c3208a63e9425b827f9fee
SHA512 9b74272240a57138e63ce3ed2d3863e7b5a0f8c07b2d7026834df78565d10f4754e2f8727de8145ad7dee6d1a7aac3e06880e35fec3f087a7c0ef1b3ee06c92f

C:\Users\Public\Desktop\Microsoft Edge.lnk

MD5 b67aca591bb2fc7653bfb3fc59ed79dd
SHA1 606f6ce864f3293db8f90ee0ea4c56f6f1af6c92
SHA256 5e76dde77b215f5f9cfab6cc9464ab746158d470293eb01cd0a66f2fbb849b07
SHA512 9b7c11fef9e2355d83bc513fb45dc4193ee4a12247fdd91efd71807808101bee713550fa5e1b42f131efac2569ea24e2f473b2812278b8127767bbdc29753d1e

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

MD5 2c8f5e7a9e670c3850b2de0d2f3758b2
SHA1 42409c886411ce73c1d6f07bbae47bf8f2db713c
SHA256 bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
SHA512 1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454

memory/4180-286-0x00000000009C0000-0x00000000009EE000-memory.dmp

memory/4940-292-0x0000000000400000-0x000000000063B000-memory.dmp

memory/4940-289-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe

MD5 24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1 de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA512 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/3628-326-0x0000000006440000-0x00000000064A6000-memory.dmp

memory/4940-333-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1as.0.exe

MD5 3b577ad55734b8ab5e8362c15fdcb327
SHA1 5ce0b10cc6ad018ff59a28da1ca2b43608742ee6
SHA256 2c1f6bfc7bd1e82f941ca19a108bc7bc455b1d140becddd151d6f9c119104ad6
SHA512 ec2178ba7b47b7be8bc41f4f46aca4fd5259631c89084b3f1ef56d7564fe0a42c48fb774b8ad22ee6c95bb01bea0a010460d5effa6d3635d3b94b7f780eb1791

memory/408-358-0x0000000000400000-0x0000000002AF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 6ed714c1a56743f32ed097b0b79e1be2
SHA1 dc6cd1493016221d853ba8cb84623aee5fc7fde1
SHA256 18cbd445ca637b452e9ca89911ab9b30f0adf60a35c2569a42ae13dcd5a44bf9
SHA512 a1a6a1abda4504859b0a0c21bf2e41485c608a01038f207c6636bf191cc824cbe9ce2fd02e247737e32904e5b89b2b88830af3daf024d8da8d5fbf7521e1005c

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3264-435-0x0000025FFDB20000-0x0000025FFDB42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhtq5qiw.vyr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

C:\Users\Admin\AppData\Local\Temp\u1as.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\u1as.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u1as.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/4360-539-0x000000006BB80000-0x000000006BCFB000-memory.dmp

memory/2212-538-0x00000000086C0000-0x0000000008BEC000-memory.dmp

memory/2212-536-0x0000000007FC0000-0x0000000008182000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1as.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/4360-540-0x00007FFCF76B0000-0x00007FFCF78A5000-memory.dmp

memory/1020-546-0x0000000002370000-0x00000000023C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1as.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\u1as.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

memory/3244-549-0x0000000000560000-0x0000000000A13000-memory.dmp

memory/1020-551-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/3244-554-0x0000000000560000-0x0000000000A13000-memory.dmp

memory/4076-552-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/4076-555-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4720-553-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1684-550-0x0000000000400000-0x0000000002B1F000-memory.dmp

memory/3628-571-0x0000000006ED0000-0x0000000006F20000-memory.dmp

C:\ProgramData\AAKKECFB

MD5 e0a9a4a78c1f99c5693c26d139b08762
SHA1 a20443b8e6e4a1fb1a11f4e0c6f48b89f263f069
SHA256 4075e9418dbc72c7dbb3978bd9e6f1283457e5aeb72389e2285c8c6bf8f61a27
SHA512 df1f9a9f4eab6086a407ba41dc67645bb1c0b0ac910f37d9b0012895e36b4e27ce00b214a8e519d70b612e1c0cb480828bb25350bba3086842eed7aca94611ac

memory/3264-580-0x0000025FFDAF0000-0x0000025FFDAFA000-memory.dmp

memory/3264-579-0x0000025FFDB50000-0x0000025FFDB62000-memory.dmp

memory/3056-599-0x0000000005AD0000-0x00000000060F8000-memory.dmp

C:\ProgramData\GCAEHDBA

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\u1as.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3056-588-0x00000000031B0000-0x00000000031E6000-memory.dmp

C:\ProgramData\freebl3.dll

MD5 20b0ccea9a74ef454bdec596c2a85922
SHA1 bb1b5358924b9fd9164ad5fc32faac7f69a978da
SHA256 2433dbdd5da3f7c692446e5a4d0219392da5fe76b17c487a37d44ce5b9cdf2e5
SHA512 308ebed94d3ee2f9b8afadf2269e4e4bbb5abd6a99b03dd3a77265822ac5032a69da2b7049a576f3abbf456d1367ed0b53ff938285152d48f267f31ce1a3e54d

memory/3056-623-0x0000000006270000-0x00000000062D6000-memory.dmp

memory/3056-620-0x0000000005940000-0x0000000005962000-memory.dmp

memory/3056-624-0x0000000006480000-0x00000000067D4000-memory.dmp

memory/3056-629-0x0000000006820000-0x000000000683E000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 3016af45a4c7045b394c9a131197754e
SHA1 04ddb46a00ec97a965f199fdc80bb5eb1088a5c0
SHA256 077707610bbfd5f1e371e5eebbf263de599863ae3fe3c3ca93bbe8a70eb3aedc
SHA512 1bae6407a7870c2e0720b548b4e9b5855d2a1b155ad13be48173fb3625abe4141b94d1fbbbc32f177b5646dfe929de863e9bd68794c344cda5b304e927b01244

memory/1684-631-0x0000000000400000-0x0000000002B1F000-memory.dmp

C:\ProgramData\msvcp140.dll

MD5 2f99217812fea1bec79417dabaec35ec
SHA1 0fb53f126b6b6c3ca330f1e8111d68398784a82c
SHA256 960d0511de26778f49988300b169cae2d76cda3a7df89d775ade3c4a1c7264ac
SHA512 f261f4ce412179937e75058ff176959589503d0ba3b43f9a1cf299e69a3cc3779134defe8648eba9e3af5e970ffed600dc4c93c5bdb49395d451fcd7f3d774f7

memory/4360-643-0x000000006BB80000-0x000000006BCFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3a34a38c

MD5 68f56a0aac60aef53c5b3f27f0b60898
SHA1 bd606bd800eb70f2e517eb9607260092b6e792a3
SHA256 89320185b1f475236ef3eef8c79bc3a9086985325147cff4233aca81c540d279
SHA512 f29012d6093d0dc4d7cb4358c50f5c44ae9f63e345bee60487ae5916537a44648333b944579bedef88af9890e726e3e5569905dad8d14a5757f1ff328acb5889

memory/3056-647-0x000000006C980000-0x000000006C9CC000-memory.dmp

C:\ProgramData\nss3.dll

MD5 f363f0d6e9230c8b039f91187307d0ec
SHA1 828335e1f1601754f032bce2700c56c87d0c1783
SHA256 670b9396d0eca4d086cc01d1aa1790f28b0c86c635304300616061b4b9f9d3e4
SHA512 4ce87c08908624af24171e3e0a7ad48fb9dc46c0d831d9cc81fc889fbb018fe27cc4161edf75f4180ed15a32c8ec2ac189391e7f624ca0177de7bb740b46ff12

memory/3056-660-0x0000000007A80000-0x0000000007B23000-memory.dmp

memory/3056-659-0x0000000007A30000-0x0000000007A4E000-memory.dmp

memory/3056-648-0x000000006B0A0000-0x000000006B3F4000-memory.dmp

memory/3056-646-0x00000000079F0000-0x0000000007A22000-memory.dmp

memory/3056-663-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

memory/3056-662-0x00000000081E0000-0x000000000885A000-memory.dmp

memory/3056-664-0x0000000007C10000-0x0000000007C1A000-memory.dmp

memory/3056-665-0x0000000007E20000-0x0000000007EB6000-memory.dmp

memory/3056-666-0x0000000007D90000-0x0000000007DA1000-memory.dmp

memory/3056-667-0x0000000007DC0000-0x0000000007DCE000-memory.dmp

memory/3056-668-0x0000000007DD0000-0x0000000007DE4000-memory.dmp

memory/3056-669-0x0000000007EC0000-0x0000000007EDA000-memory.dmp

memory/3056-670-0x0000000007E00000-0x0000000007E08000-memory.dmp

memory/1020-673-0x0000000002370000-0x00000000023C1000-memory.dmp

memory/3244-678-0x0000000000560000-0x0000000000A13000-memory.dmp

memory/3552-679-0x00007FFCF76B0000-0x00007FFCF78A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 ce6b176b4262f5759c0c86944ebe0a7d
SHA1 b22bd538a4f9eabb2e9cf4fa05741afa8f72d89f
SHA256 e3878a8e59ae30dbabee2e403e05d24c0760489acb7b305d33fc61d35f85892a
SHA512 cd8049f9c33af7182254f456350979c6a3ce9f1972a14ca0015f929d2950004b53724e68f330f88d5501ba67f945954ab01de5911efaf4fea94767b8656993e4

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 1f97e5b68276578926f538e52c0d92c8
SHA1 8fedd04fa4f7a4a5ff62adf4a4432a30ef31134d
SHA256 0eb5ab8514ac791703b3b7927b5faae7b6032b0b5c8d48e8f404ff5265fdee1e
SHA512 d0e6581824e9b1014e3f29ab93f485943fff49d29d19b70b00ad34702984d0550098d67bddce94dc48460f10fd95735c1170592def38f896ccd230b79661191b

memory/4076-697-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/3244-698-0x0000000000560000-0x0000000000A13000-memory.dmp

memory/2140-700-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4720-699-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 27eb36fa1707297feff5ea7b4ef57eb3
SHA1 b92923a04fe709b0a988a28599fb0b8c22fc7a4d
SHA256 89b223f9095a6f018b05499e1fde07275d567462d720aa3c454ddc5d6325c2d9
SHA512 01950eb1d4e5bef997f9d72b4552839bc9e9413a7ae9e2bf2bbf8b6b479e4ad853da27c18c0f5da909a91ace842e04848c42659d05231591b6f4cdf5e89a8957

C:\ProgramData\vcruntime140.dll

MD5 24a1064c29865c39c55cbf9dc9b4f322
SHA1 1368e2a81f7595683d628bf4c5241847acac3417
SHA256 4095f5926b3296aff4af06c9b6787250f912da05f4d589d35924038c0e3fa7ef
SHA512 244a112641f8e0ccff1c7ff342a76b0aaca8c2cc133eab29dc8941a812fca84dc6418d5f15569a00ffc023402dbcc8cdf2fe2a0c5fb288d50d862ceb2669df99

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 f39df8decdc5b0608c334ff411c2cecd
SHA1 6604e15302940cd4be60e0e74b9c0090ca75c5e0
SHA256 eff60bf67869b9ab9068b913b980dc5f904ec1c1b14f6eba052c0e08b95ebb91
SHA512 29c39c64ada1c2490a1008115ab7f6c680c04b1248b670d0b6fd554da18d5f4877c5ffebb7998f22468854b959c9ffaca97a86d9280572e378ff5d9281276d25

memory/2140-741-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2984-742-0x00000188E0050000-0x00000188E3948000-memory.dmp

memory/2984-743-0x00000188FF8B0000-0x00000188FF9C0000-memory.dmp

memory/2984-745-0x00000188E55E0000-0x00000188E55EC000-memory.dmp

memory/2984-744-0x00000188E55C0000-0x00000188E55D0000-memory.dmp

memory/2984-747-0x00000188E55D0000-0x00000188E55E4000-memory.dmp

memory/2984-748-0x00000188FDF30000-0x00000188FDF54000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/3552-756-0x000000006BB80000-0x000000006BCFB000-memory.dmp

memory/4076-754-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/2984-757-0x0000018880000000-0x000001888000A000-memory.dmp

memory/2984-761-0x0000018880190000-0x00000188801F2000-memory.dmp

memory/2984-762-0x00000188800C0000-0x00000188800CA000-memory.dmp

memory/2984-760-0x0000018880100000-0x000001888017A000-memory.dmp

memory/2984-759-0x00000188800D0000-0x00000188800FA000-memory.dmp

memory/2984-758-0x0000018880010000-0x00000188800C2000-memory.dmp

memory/2984-766-0x00000188801F0000-0x00000188804F0000-memory.dmp

memory/2984-768-0x00000188E3D60000-0x00000188E3D68000-memory.dmp

memory/2984-769-0x00000188FFB40000-0x00000188FFB78000-memory.dmp

memory/2984-770-0x00000188FDF60000-0x00000188FDF6E000-memory.dmp

memory/2984-772-0x0000018884600000-0x0000018884622000-memory.dmp

memory/2984-771-0x00000188845B0000-0x00000188845BA000-memory.dmp

memory/2984-773-0x0000018885190000-0x00000188856B8000-memory.dmp

memory/4076-774-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/2984-778-0x00000188845C0000-0x00000188845CC000-memory.dmp

memory/2984-777-0x00000188FFC50000-0x00000188FFCA0000-memory.dmp

memory/4484-780-0x0000000072A70000-0x0000000073CC4000-memory.dmp

memory/3244-783-0x0000000000560000-0x0000000000A13000-memory.dmp

memory/4484-784-0x0000000000DA0000-0x0000000000E66000-memory.dmp

memory/4484-785-0x0000000005330000-0x000000000533A000-memory.dmp

memory/752-799-0x0000000005B40000-0x0000000005E94000-memory.dmp

memory/752-800-0x0000000006210000-0x000000000625C000-memory.dmp

memory/752-802-0x0000000071650000-0x000000007169C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 989802f4585f18bb3d1fab11516b8051
SHA1 1d2dde5cbec4a47133646764c58fa57634e52123
SHA256 ec13921f72eebc2acce6fe4d9add42e666056fac0b3fa543f46bc5145bf87b59
SHA512 47121b85c93d15eba294234cfb1c405717f910b4985420abf24df2f9722f0ae384a6e7092612561543f2ca3b9b1c3ed6f3b55de12d41ba67f3068eebe586fb92

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 296ae4e923515b5c60a9011793edd217
SHA1 6c28cf1f10aab48533d09f3ee8df6fa410918fce
SHA256 0e70823d125bcc9de1b63cc9824a31c3c0d090047564ce2f14cf5e4346585f30
SHA512 6d8fc1a2e26aa80f06aa742f3119894ea68ea21da92740269f6fdc69d75cf45df249f6c26bc353254d71e7fe4f3cdb84f649d26381e7ada76fe67039e60d6c97

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 16:00

Reported

2024-04-27 16:03

Platform

win11-20240426-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\chrosha.job C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uog.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uog.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\uog.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\uog.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\uog.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1472 = "Magadan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-841 = "Argentina Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-2432 = "Cuba Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4896 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 4896 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 4896 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2452 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 4896 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 4896 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe
PID 4596 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 968 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 384 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4596 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 232 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 232 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 232 wrote to memory of 4976 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe
PID 232 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 232 wrote to memory of 3240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe
PID 4896 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 4896 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 4896 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe
PID 2408 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2408 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 4896 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 4896 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe
PID 4896 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 4896 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 4896 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe
PID 4896 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 4896 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 4896 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe
PID 4672 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4672 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4672 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4672 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4672 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4672 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe

"C:\Users\Admin\AppData\Local\Temp\d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876.exe"

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2452 -ip 2452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 884

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4596 -ip 4596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 404

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe"

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

"C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2408 -ip 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 396

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

"C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe"

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

"C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe

"C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 3680 -ip 3680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 384

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Users\Admin\AppData\Local\Temp\uog.0.exe

"C:\Users\Admin\AppData\Local\Temp\uog.0.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\230210488309_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\AppData\Local\Temp\uog.3.exe

"C:\Users\Admin\AppData\Local\Temp\uog.3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 880 -ip 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 880 -s 1496

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 980 -ip 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 2096

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

Network

Country Destination Domain Proto
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 affordcharmcropwo.shop udp
US 172.67.181.34:443 affordcharmcropwo.shop tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 104.21.72.132:443 cleartotalfisherwo.shop tcp
US 104.21.44.125:443 worryfillvolcawoi.shop tcp
US 8.8.8.8:53 125.44.21.104.in-addr.arpa udp
US 104.21.18.233:443 enthusiasimtitleow.shop tcp
US 172.67.205.132:443 dismissalcylinderhostw.shop tcp
US 104.21.23.143:443 diskretainvigorousiw.shop tcp
US 172.67.166.251:443 communicationgenerwo.shop tcp
US 104.21.47.56:443 pillowbrocccolipe.shop tcp
DE 185.172.128.33:8970 tcp
US 172.67.150.207:443 productivelookewr.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 172.67.147.41:443 tolerateilusidjukl.shop tcp
US 104.21.95.19:443 shatterbreathepsw.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 172.67.216.69:443 shortsvelventysjo.shop tcp
US 172.67.218.63:443 incredibleextedwj.shop tcp
US 104.21.48.243:443 alcojoldwograpciw.shop tcp
US 8.8.8.8:53 63.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 243.48.21.104.in-addr.arpa udp
US 104.21.44.3:443 liabilitynighstjsko.shop tcp
RU 194.87.210.219:80 file-host-host0.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 172.67.147.169:443 demonstationfukewko.shop tcp
RU 185.215.113.67:26260 tcp
FR 52.143.157.84:80 52.143.157.84 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 172.67.187.204:443 parrotflight.com tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
RO 176.97.76.106:80 note.padd.cn.com tcp
US 172.67.197.33:443 junglethomas.com tcp
RU 193.233.132.167:80 193.233.132.167 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.62:80 185.172.128.62 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 104.21.7.13:443 palmeventeryjusk.shop tcp
US 104.21.75.133:443 entitlementappwo.shop tcp
US 172.67.145.57:443 economicscreateojsu.shop tcp
US 104.21.70.22:443 pushjellysingeywus.shop tcp
US 104.21.26.86:443 absentconvicsjawun.shop tcp
US 172.67.214.60:443 suitcaseacanehalk.shop tcp
US 172.67.189.66:443 bordersoarmanusjuw.shop tcp
US 104.21.22.58:443 mealplayerpreceodsju.shop tcp
FR 185.93.2.246:443 download.iolo.net tcp
US 172.67.196.237:443 wifeplasterbakewis.shop tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
RU 91.215.85.66:15647 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server14.databaseupgrade.ru tcp
US 104.21.94.82:443 carsalessystem.com tcp
N/A 127.0.0.1:3478 udp
BG 185.82.216.108:443 server14.databaseupgrade.ru tcp
NL 74.125.128.127:19302 stun2.l.google.com udp

Files

memory/2932-0-0x00000000003E0000-0x0000000000893000-memory.dmp

memory/2932-1-0x0000000077476000-0x0000000077478000-memory.dmp

memory/2932-2-0x00000000003E0000-0x0000000000893000-memory.dmp

memory/2932-8-0x0000000004E50000-0x0000000004E51000-memory.dmp

memory/2932-7-0x0000000004E40000-0x0000000004E41000-memory.dmp

memory/2932-6-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

memory/2932-5-0x0000000004E60000-0x0000000004E61000-memory.dmp

memory/2932-4-0x0000000004E80000-0x0000000004E81000-memory.dmp

memory/2932-3-0x0000000004E70000-0x0000000004E71000-memory.dmp

memory/2932-10-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

memory/2932-14-0x00000000003E0000-0x0000000000893000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d0ab15804\chrosha.exe

MD5 73d73c48859fc7aa4fd78d9a57f859d6
SHA1 c1f71ea0692d97c653ff5a5ecbc03fd02173fe05
SHA256 d46a8fa545385ab42ca58f6175b13f4b9989d88322ab624f646623b4a52a4876
SHA512 f0634be539582016c03e83f3ca58d613fc16abcc0a9c320321f455234a8f2dc1c199fc52187abac5e4cbbe7b7907afdaa89813f50cbecd611f7e870ee7f8e979

memory/4896-17-0x0000000000070000-0x0000000000523000-memory.dmp

memory/4896-18-0x0000000000070000-0x0000000000523000-memory.dmp

memory/4896-24-0x0000000005470000-0x0000000005471000-memory.dmp

memory/4896-23-0x0000000005460000-0x0000000005461000-memory.dmp

memory/4896-22-0x00000000054C0000-0x00000000054C1000-memory.dmp

memory/4896-21-0x0000000005480000-0x0000000005481000-memory.dmp

memory/4896-20-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/4896-19-0x0000000005490000-0x0000000005491000-memory.dmp

memory/4896-26-0x00000000054E0000-0x00000000054E1000-memory.dmp

memory/4896-25-0x00000000054F0000-0x00000000054F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000147001\swiiiii.exe

MD5 1c7d0f34bb1d85b5d2c01367cc8f62ef
SHA1 33aedadb5361f1646cffd68791d72ba5f1424114
SHA256 e9e09c5e5d03d21fca820bd9b0a0ea7b86ab9e85cdc9996f8f1dc822b0cc801c
SHA512 53bf85d2b004f69bbbf7b6dc78e5f021aba71b6f814101c55d3bf76e6d058a973bc58270b6b621b2100c6e02d382f568d1e96024464e8ea81e6db8ccd948679d

memory/2452-46-0x0000000000FC0000-0x0000000001012000-memory.dmp

memory/2452-47-0x0000000072E30000-0x00000000735E1000-memory.dmp

memory/912-50-0x0000000000400000-0x000000000044C000-memory.dmp

memory/912-53-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2452-54-0x0000000003480000-0x0000000005480000-memory.dmp

memory/912-55-0x0000000000400000-0x000000000044C000-memory.dmp

memory/2452-56-0x0000000072E30000-0x00000000735E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

MD5 31841361be1f3dc6c2ce7756b490bf0f
SHA1 ff2506641a401ac999f5870769f50b7326f7e4eb
SHA256 222393a4ab4b2ae83ca861faee6df02ac274b2f2ca0bed8db1783dd61f2f37ee
SHA512 53d66fa19e8db360042dadc55caaa9a1ca30a9d825e23ed2a58f32834691eb2aaaa27a4471e3fc4d13e201accc43160436ed0e9939df1cc227a62a09a2ae0019

memory/232-73-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\trf.exe

MD5 20ae0bb07ba77cb3748aa63b6eb51afb
SHA1 87c468dc8f3d90a63833d36e4c900fa88d505c6d
SHA256 daf6ae706fc78595f0d386817a0f8a3a7eb4ec8613219382b1cbaa7089418e7d
SHA512 db315e00ce2b2d5a05cb69541ee45aade4332e424c4955a79d2b7261ab7bd739f02dc688224f031a7a030c92fa915d029538e236dbd3c28b8d07d1265a52e5b2

C:\Users\Admin\AppData\Roaming\configurationValue\keks.exe

MD5 0c582da789c91878ab2f1b12d7461496
SHA1 238bd2408f484dd13113889792d6e46d6b41c5ba
SHA256 a6ab532816fbb0c9664c708746db35287aaa85cbb417bef2eafcd9f5eaf7cf67
SHA512 a1b7c5c13462a7704ea2aea5025d1cb16ddd622fe1e2de3bbe08337c271a4dc8b9be2eae58a4896a7df3ad44823675384dbc60bdc737c54b173909be7a0a086a

memory/4976-95-0x0000000000010000-0x0000000000062000-memory.dmp

memory/4976-96-0x0000000004E90000-0x0000000005436000-memory.dmp

memory/4976-97-0x00000000049E0000-0x0000000004A72000-memory.dmp

memory/4976-99-0x0000000004AA0000-0x0000000004AAA000-memory.dmp

memory/3240-100-0x00000000005B0000-0x0000000000670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000149001\gold.exe

MD5 b22521fb370921bb5d69bf8deecce59e
SHA1 3d4486b206e8aaac14a3cf201c5ac152a2a7d4ea
SHA256 b30d10e292f89f4d288839974f71f6b703d6d9a9ae698ea172a2b64364e77158
SHA512 1f7d64ba5266314ed18f577f0984706c21f4f48e8cdb069130e4435c2bcdf219f8dd27e4d3bf3a373f4db4c01e30efe8d7f4d87f4d8cbbbeaf9c7043f685994c

C:\Users\Admin\AppData\Local\Temp\Tmp6E0C.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/4976-124-0x0000000005540000-0x00000000055B6000-memory.dmp

memory/4976-129-0x0000000005D10000-0x0000000005D2E000-memory.dmp

memory/4976-133-0x0000000006450000-0x0000000006A68000-memory.dmp

memory/4976-137-0x0000000006020000-0x0000000006032000-memory.dmp

memory/4976-136-0x00000000060E0000-0x00000000061EA000-memory.dmp

memory/4604-139-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4976-138-0x0000000006080000-0x00000000060BC000-memory.dmp

memory/4604-140-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4976-141-0x00000000061F0000-0x000000000623C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000150001\NewB.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

C:\Users\Admin\AppData\Local\Temp\1000152001\jok.exe

MD5 8510bcf5bc264c70180abe78298e4d5b
SHA1 2c3a2a85d129b0d750ed146d1d4e4d6274623e28
SHA256 096220045877e456edfea1adcd5bf1efd332665ef073c6d1e9474c84ca5433f6
SHA512 5ff0a47f9e14e22fc76d41910b2986605376605913173d8ad83d29d85eb79b679459e2723a6ad17bc3c3b8c9b359e2be7348ee1c21fa2e8ceb7cc9220515258d

memory/3240-192-0x000000001C150000-0x000000001C1C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1230210488-3096403634-4129516247-1000\76b53b3ec448f7ccdda2063b15d2bfc3_bb42cecb-ddb7-43e2-9d9f-40e8c5d10e5c

MD5 1b047ade2debacee150044b85bdda4f0
SHA1 8ba55334fda81664264268031bd751b01010b5e5
SHA256 69f41a4030c8fe8734a72aa35aa692edd7c3a567a65f2ad3aa733156a79751af
SHA512 0fb334f5ce7dec91ff32c223abafe45ab3f7fda6bfd7f9eaa65328ec9e2091861496c96f7a9ab7ea38f9fdbfc0613de65754d8900c2b6932b1523a3b119cf174

memory/3240-194-0x000000001C1F0000-0x000000001C20E000-memory.dmp

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 ed101832ceaee42ec4357f5bdc136bc3
SHA1 555976e70e434e3946b3c824eabaa6ecba896346
SHA256 d5e0a74939b5130bc370b13e2f8b51086af2638ed4ec5b8fb37a297247ebdaa3
SHA512 4e7d9a9deb3354f2db760ce70b108e0e7da055d8fc7a873d5c4ef3d290f1d419c278e2d2ea57e8ab7863bbfb8e85387bb28a178f2db0a16014e0578039b928d8

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 efa296fc2eb40f11a5597c7c7b4d0189
SHA1 cc94acc5b60e2539935f09e6381bf3eaa2f4852c
SHA256 f4ae3573adfadd441ea2a348f9a4a5be5aaef593aa174940e6f9490cbadddfaa
SHA512 fe2511752a43f99ca4604130edf0bc4bd5e68a79fac5d358b1db1e395271e2ea409b3c01ce0c677bbce52b1e6c8a0f61e4e50afee8b614e42a56475bac1bd7e3

memory/4064-193-0x0000000000C40000-0x0000000000C92000-memory.dmp

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 fdc1fe71cbd265a6de2fc295744206ce
SHA1 0e2b36738af978a24e72c4e26bca818dd4197394
SHA256 d6832062e6c0c8310bc6c85b42e49e6ccb6130c175767ad447c7111d4e18bff7
SHA512 22d4ab52a0136a8ed868452ef0adaed012a6eb0e6717bcac1af7361520b4ee675ecf1d4ddfb4f513ecad4682c087d57a2b608b4e2b784f1fedb388b9b2fa902f

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 46c5fd7e6f97d996ca441da4ff2b127e
SHA1 7b18e87c53085b9def72be6a5d9cc00ecfd770f1
SHA256 26c0dd07b4d069a3432174449fb5600a37f94badfbcdd10e08616f9916df2215
SHA512 249ccd60e9c92c8391f1a12fd120d8651c7030aa6e8d5536d08f9043f297632be9e1bb9ce0cbebb489527c68264b87186ee65c4b529260d4a051ecaac309d80a

C:\Users\Admin\AppData\Local\Temp\1000153001\swiiii.exe

MD5 586f7fecacd49adab650fae36e2db994
SHA1 35d9fb512a8161ce867812633f0a43b042f9a5e6
SHA256 cf88d499c83da613ad5ccd8805822901bdc3a12eb9b15804aeff8c53dc05fc4e
SHA512 a44a2c99d18509681505cf70a251baf2558030a8648d9c621acc72fafcb2f744e3ef664dfd0229baf7c78fb72e69f5d644c755ded4060dcafa7f711d70e94772

memory/4672-239-0x0000000000050000-0x000000000007E000-memory.dmp

memory/2072-242-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2072-245-0x0000000000400000-0x000000000063B000-memory.dmp

memory/4896-246-0x0000000000070000-0x0000000000523000-memory.dmp

memory/4976-248-0x0000000006330000-0x0000000006396000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000231001\lie.exe

MD5 24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1 de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256 878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA512 53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\cred64.dll

MD5 f35b671fda2603ec30ace10946f11a90
SHA1 059ad6b06559d4db581b1879e709f32f80850872
SHA256 83e3df5bec15d5333935bea8b719a6d677e2fb3dc1cf9e18e7b82fd0438285c7
SHA512 b5fa27d08c64727cef7fdda5e68054a4359cd697df50d70d1d90da583195959a139066a6214531bbc5f20cd4f9bc1ca3e4244396547381291a6a1d2df9cf8705

memory/2072-283-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uog.0.exe

MD5 3b577ad55734b8ab5e8362c15fdcb327
SHA1 5ce0b10cc6ad018ff59a28da1ca2b43608742ee6
SHA256 2c1f6bfc7bd1e82f941ca19a108bc7bc455b1d140becddd151d6f9c119104ad6
SHA512 ec2178ba7b47b7be8bc41f4f46aca4fd5259631c89084b3f1ef56d7564fe0a42c48fb774b8ad22ee6c95bb01bea0a010460d5effa6d3635d3b94b7f780eb1791

memory/3680-306-0x0000000000400000-0x0000000002AF3000-memory.dmp

memory/4976-327-0x0000000006EC0000-0x0000000006F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uog.1.zip

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

C:\Users\Admin\AppData\Local\Temp\uog.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\uog.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

C:\Users\Admin\AppData\Local\Temp\uog.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

C:\Users\Admin\AppData\Local\Temp\uog.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

memory/3012-425-0x000000006B680000-0x000000006B7FD000-memory.dmp

memory/3012-426-0x00007FFC3ED40000-0x00007FFC3EF49000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uog.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/880-435-0x0000000000400000-0x0000000002B1F000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r5ejki2w.kba.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1832-453-0x0000022B7F7B0000-0x0000022B7F7D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uog.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4976-475-0x0000000007220000-0x00000000073E2000-memory.dmp

memory/4976-476-0x0000000007920000-0x0000000007E4C000-memory.dmp

memory/880-478-0x0000000000400000-0x0000000002B1F000-memory.dmp

memory/3012-483-0x000000006B680000-0x000000006B7FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\de114a4

MD5 63ff730e73638ad456fbd15d232c9baa
SHA1 4d71ede2c65562c1ad141458431ab370ce33ad0f
SHA256 fe21f44a1ce27c31f43c9823dff12140b567d691dc64520ead802a0df8f81130
SHA512 aa7b105aa8d5e459c514f1a9030e5d8e3e0dc37b79bf0ca5c2ffb3fd4db204a7baa1374d126f08ad072cb0e67bda3b8fb608a4a6edcb067ec0c81e995a520cfb

C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll

MD5 154c3f1334dd435f562672f2664fea6b
SHA1 51dd25e2ba98b8546de163b8f26e2972a90c2c79
SHA256 5f431129f97f3d56929f1e5584819e091bd6c854d7e18503074737fc6d79e33f
SHA512 1bca69bbcdb7ecd418769e9d4befc458f9f8e3cee81feb7316bb61e189e2904f4431e4cc7d291e179a5dec441b959d428d8e433f579036f763bbad6460222841

memory/4720-497-0x0000000002480000-0x00000000024D1000-memory.dmp

memory/980-500-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4720-517-0x0000000000400000-0x00000000005C4000-memory.dmp

memory/4896-516-0x0000000000070000-0x0000000000523000-memory.dmp

memory/4896-520-0x0000000000070000-0x0000000000523000-memory.dmp

memory/980-518-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/2276-532-0x00000000029F0000-0x0000000002A26000-memory.dmp

memory/3084-519-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/2276-533-0x0000000005300000-0x000000000592A000-memory.dmp

C:\ProgramData\CFIEBKEH

MD5 658cb566f062f009c3a83549a6a035d5
SHA1 482ed689d99cda2e4276c0bac404ec7cab9e0aec
SHA256 ace73c9e991f0d223954a1ebec43a526b5f0fcf674188eaaa8af29d989bf21e4
SHA512 cc424f8c3478af5f146d0df31a2e705c357f3ca59c0d767aabac7ab0badbaf4cfa73f73934a2e9be358a588333860812d3c914fc054f740cf12e430fd35bcc0a

memory/2276-535-0x0000000005930000-0x0000000005996000-memory.dmp

memory/2276-534-0x0000000005200000-0x0000000005222000-memory.dmp

C:\ProgramData\KFCBAEHC

MD5 87210e9e528a4ddb09c6b671937c79c6
SHA1 3c75314714619f5b55e25769e0985d497f0062f2
SHA256 eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1
SHA512 f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

memory/2276-536-0x0000000005A10000-0x0000000005D67000-memory.dmp

C:\ProgramData\freebl3.dll

MD5 f278257dc9b8268669cad8a1b2ba79c2
SHA1 709d62da0fcb4aa347f4faf7874d61a0d1e819b1
SHA256 48f36b97edb7dc30bcbd9d08d665bccd975490f39a2f38e9d5e3a3f754abb500
SHA512 453d1e2564e462eadc50e292f4bbfbd8a79bee6a657dfa0b0e4a4c0a34eda08ed8e3c00439a40738513e1ec12b2231e7c476fe382f03389dc58294c6ad88114b

memory/2276-551-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

memory/1892-553-0x00007FFC3ED40000-0x00007FFC3EF49000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 3016af45a4c7045b394c9a131197754e
SHA1 04ddb46a00ec97a965f199fdc80bb5eb1088a5c0
SHA256 077707610bbfd5f1e371e5eebbf263de599863ae3fe3c3ca93bbe8a70eb3aedc
SHA512 1bae6407a7870c2e0720b548b4e9b5855d2a1b155ad13be48173fb3625abe4141b94d1fbbbc32f177b5646dfe929de863e9bd68794c344cda5b304e927b01244

memory/2276-560-0x0000000070B20000-0x0000000070B6C000-memory.dmp

memory/2276-561-0x000000006B920000-0x000000006BC77000-memory.dmp

memory/2276-559-0x00000000070F0000-0x0000000007124000-memory.dmp

memory/2276-571-0x0000000007130000-0x00000000071D4000-memory.dmp

memory/2276-570-0x00000000070D0000-0x00000000070EE000-memory.dmp

memory/2276-576-0x0000000007270000-0x000000000728A000-memory.dmp

memory/2276-575-0x00000000078B0000-0x0000000007F2A000-memory.dmp

memory/2276-577-0x00000000072F0000-0x00000000072FA000-memory.dmp

C:\ProgramData\msvcp140.dll

MD5 2f99217812fea1bec79417dabaec35ec
SHA1 0fb53f126b6b6c3ca330f1e8111d68398784a82c
SHA256 960d0511de26778f49988300b169cae2d76cda3a7df89d775ade3c4a1c7264ac
SHA512 f261f4ce412179937e75058ff176959589503d0ba3b43f9a1cf299e69a3cc3779134defe8648eba9e3af5e970ffed600dc4c93c5bdb49395d451fcd7f3d774f7

memory/2276-583-0x0000000007520000-0x00000000075B6000-memory.dmp

memory/2276-589-0x0000000007480000-0x0000000007491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 bdb49604ad7146981d2ff5c13e565442
SHA1 e52c12f4caf47c84207705253708fa3aed08ae8c
SHA256 c832ceb6e7812ca9a8b4347919ac844cc682b28117cb05c2e724bd4ef31c617e
SHA512 e0a1841405c7f2edcef7e60d33697fe7ac39eef3493e933aeec2c12351a775d0516abd1bc04d6801f00676528a82f2f003331c14e98234cc1e14ad16d9d601f8

memory/2276-597-0x00000000074A0000-0x00000000074AE000-memory.dmp

memory/2276-598-0x00000000074B0000-0x00000000074C5000-memory.dmp

memory/2276-599-0x00000000074F0000-0x000000000750A000-memory.dmp

memory/1832-601-0x0000022B7F4C0000-0x0000022B7F4CA000-memory.dmp

memory/1832-600-0x0000022B7F840000-0x0000022B7F852000-memory.dmp

memory/2276-608-0x0000000007510000-0x0000000007518000-memory.dmp

memory/4720-609-0x0000000002480000-0x00000000024D1000-memory.dmp

C:\ProgramData\nss3.dll

MD5 850a06b0f2ba21d0bb154aed00b69db3
SHA1 82f4e4921aa97d3af4323ccc9ef4049210aff984
SHA256 84ea62cb868eba53bb43953bf623676db958cc15a3c26c4d63a9f1e483d3fd89
SHA512 9615408879787672393d5e205f596cb800217150679c76cb1fe4b37bd0d6be61057e9b4502a376e8bb253a2eea5e647c5655316543b9954b56aa4f581bbda391

memory/3084-618-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/4896-621-0x0000000000070000-0x0000000000523000-memory.dmp

memory/4536-623-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/980-622-0x0000000000400000-0x0000000002AFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 072cc7e3f755ae9108251e7fddbd00fa
SHA1 d9511ce691c8660b9dfa5df6c41a81bbba2c5be2
SHA256 720733ee10bc743643f54e6302bb9b2ba45e20c5af57f462cc5101a98437943c
SHA512 6a25c6c008cdee556cfe0a87d1979ba7ae5495e1eec7d08b5f6b6f72d8cd927df3ac4254ef40569becbe3e5681fd679cd6ecd19ec355029187889ba9b25eec42

memory/1892-634-0x000000006B680000-0x000000006B7FD000-memory.dmp

memory/4536-637-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2076-638-0x000001F7228D0000-0x000001F7261C8000-memory.dmp

memory/2076-639-0x000001F740AA0000-0x000001F740BB0000-memory.dmp

memory/2076-641-0x000001F727FE0000-0x000001F727FEC000-memory.dmp

memory/2076-640-0x000001F727FC0000-0x000001F727FD0000-memory.dmp

memory/2076-642-0x000001F727FD0000-0x000001F727FE4000-memory.dmp

memory/2076-643-0x000001F728070000-0x000001F728094000-memory.dmp

memory/4896-644-0x0000000000070000-0x0000000000523000-memory.dmp

memory/2076-648-0x000001F7280B0000-0x000001F7280DA000-memory.dmp

memory/2076-650-0x000001F740D00000-0x000001F740D7A000-memory.dmp

memory/2076-651-0x000001F740D80000-0x000001F740DE2000-memory.dmp

memory/2076-649-0x000001F7408E0000-0x000001F740992000-memory.dmp

memory/2076-647-0x000001F728090000-0x000001F72809A000-memory.dmp

memory/2076-652-0x000001F727FA0000-0x000001F727FAA000-memory.dmp

memory/2076-656-0x000001F740EE0000-0x000001F7411E0000-memory.dmp

C:\ProgramData\softokn3.dll

MD5 27eb36fa1707297feff5ea7b4ef57eb3
SHA1 b92923a04fe709b0a988a28599fb0b8c22fc7a4d
SHA256 89b223f9095a6f018b05499e1fde07275d567462d720aa3c454ddc5d6325c2d9
SHA512 01950eb1d4e5bef997f9d72b4552839bc9e9413a7ae9e2bf2bbf8b6b479e4ad853da27c18c0f5da909a91ace842e04848c42659d05231591b6f4cdf5e89a8957

memory/2076-662-0x000001F745280000-0x000001F745288000-memory.dmp

memory/2076-664-0x000001F7451D0000-0x000001F7451DE000-memory.dmp

memory/2076-663-0x000001F745200000-0x000001F745238000-memory.dmp

memory/2076-666-0x000001F745B70000-0x000001F745B92000-memory.dmp

memory/2076-665-0x000001F745B60000-0x000001F745B6A000-memory.dmp

memory/2076-667-0x000001F7460C0000-0x000001F7465E8000-memory.dmp

memory/2076-671-0x000001F7458E0000-0x000001F7458EC000-memory.dmp

memory/2076-670-0x000001F745930000-0x000001F745980000-memory.dmp

C:\ProgramData\vcruntime140.dll

MD5 24a1064c29865c39c55cbf9dc9b4f322
SHA1 1368e2a81f7595683d628bf4c5241847acac3417
SHA256 4095f5926b3296aff4af06c9b6787250f912da05f4d589d35924038c0e3fa7ef
SHA512 244a112641f8e0ccff1c7ff342a76b0aaca8c2cc133eab29dc8941a812fca84dc6418d5f15569a00ffc023402dbcc8cdf2fe2a0c5fb288d50d862ceb2669df99

memory/2744-690-0x00000000718E0000-0x0000000072BF7000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/2744-708-0x0000000000D00000-0x0000000000DC6000-memory.dmp

memory/2744-709-0x0000000005240000-0x000000000524A000-memory.dmp

memory/980-710-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/4896-711-0x0000000000070000-0x0000000000523000-memory.dmp

memory/576-720-0x0000000005D40000-0x0000000006097000-memory.dmp

memory/576-721-0x00000000061E0000-0x000000000622C000-memory.dmp

memory/576-722-0x00000000732E0000-0x000000007332C000-memory.dmp

memory/576-723-0x0000000072F60000-0x00000000732B7000-memory.dmp

memory/4896-738-0x0000000000070000-0x0000000000523000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 d0c46cad6c0778401e21910bd6b56b70
SHA1 7be418951ea96326aca445b8dfe449b2bfa0dca6
SHA256 9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512 057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 22d3b7ccf40a90b8ccfb60e745f0ce76
SHA1 7aa9400dcbace0b37b46cf040407da89660fda17
SHA256 69e223cf3860cdd0729edc203d68d08f9b2cc66fd1588eb55c3fa54129ccbebc
SHA512 203e064046732bbeede2e3c02f7a687b447f2dabdc78d7056806bd58b3cac27b843a2c795f782533e81ebf203c58e2b251ee9586dc68abbf364f4f552987550d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8b7bb1d9ac956973a89bec8c7d5ff9f2
SHA1 e612776460a9e5f312e9de87474fb74574ff1697
SHA256 882d038092eaed60c1e90fb06ac22a97c94f89e99d75e537d54380beb11f6bf1
SHA512 6126ea698a245d145120ba742edaa69bea96b2ffc03e73617a5337aec7f9ef954d44707a8faf7f3613ccbae6f6f54a006a691ac3a97363037606db3e3801b3ff

C:\Windows\rss\csrss.exe

MD5 6ed714c1a56743f32ed097b0b79e1be2
SHA1 dc6cd1493016221d853ba8cb84623aee5fc7fde1
SHA256 18cbd445ca637b452e9ca89911ab9b30f0adf60a35c2569a42ae13dcd5a44bf9
SHA512 a1a6a1abda4504859b0a0c21bf2e41485c608a01038f207c6636bf191cc824cbe9ce2fd02e247737e32904e5b89b2b88830af3daf024d8da8d5fbf7521e1005c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6262d970cc32d5f715d6991c364cd1c8
SHA1 582ef81870ec9c35b378124bb029a41e8aa5bdbd
SHA256 fdcfe945a2b5f9758956f247354149181dff7e6b0e46ad71760ace7e308242b5
SHA512 6f661a1af550c9107a3d09bc0af8010896f6a45f8060eb319b1e664d3855ce1770b0396d3a6406cc7a598ec9e5c3ad19b63410f8af2c1a12a5e864a3930b8234

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 64820a560a6be7675c9422d944cb0e15
SHA1 70e245698449da934c3be72b8d65bb7678b824a8
SHA256 cc69478606a89ca89ac0d2c620aabc32db60f5f64976d9c0a2d01bc653e14c34
SHA512 13e68591b4dbcb090a7687760804e61d47ef542044db0eb7a3ee50f55d3a571911f6eb628af9c194a6c01cd93899181749b863937d4789890a3bea5cbdd911cc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bc2d8ee9f052a27dc5a93a8883375962
SHA1 f8c29cbd6b44b834021bbf4edadc098d3d891c4c
SHA256 36202a0c445dbb2d1ea01e7932bbfb00b8dfe9151d7ba06580f5e2ffa7c3395c
SHA512 89f928b114fec5b8fbb3986063cbf920809bda4b8f2be7ef92e0c0e364558472b827890f65adca77986c04c9315c9a8c73baf50aad29c416c64ac7e41dcdc604

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec