Malware Analysis Report

2024-12-08 01:42

Sample ID 240427-ts8eksch53
Target NewB.exe
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
Tags
amadey dcrat glupteba sectoprat smokeloader stealc zgrat backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226

Threat Level: Known bad

The file NewB.exe was found to be: Known bad.

Malicious Activity Summary

amadey dcrat glupteba sectoprat smokeloader stealc zgrat backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan

Glupteba payload

SectopRAT

Stealc

Amadey family

Detect ZGRat V1

Windows security bypass

SmokeLoader

DcRat

SectopRAT payload

ZGRat

Glupteba

Modifies boot configuration data using bcdedit

Modifies Installed Components in the registry

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Downloads MZ/PE file

Checks computer location settings

Reads data files stored by FTP clients

Loads dropped DLL

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-27 16:20

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-27 16:20

Reported

2024-04-27 16:22

Platform

win10v2004-20240419-en

Max time kernel

94s

Max time network

44s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewB.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\NewB.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 616 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\NewB.exe

C:\Users\Admin\AppData\Local\Temp\NewB.exe

C:\Users\Admin\AppData\Local\Temp\NewB.exe

C:\Users\Admin\AppData\Local\Temp\NewB.exe

Network

Country Destination Domain Proto
DE 185.172.128.19:80 tcp
DE 185.172.128.19:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-27 16:20

Reported

2024-04-27 16:23

Platform

win7-20240221-en

Max time kernel

131s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NewB.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\4767d2e713f2021e8fe856e3ea638b58.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\7DBA.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 908 set thread context of 2672 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 set thread context of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240427162043.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1400 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Windows\SysWOW64\schtasks.exe
PID 1400 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 1400 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 1400 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 1400 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 1400 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 1400 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 1400 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe
PID 1400 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
PID 1400 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
PID 1400 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
PID 1400 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe
PID 1400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
PID 1400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
PID 1400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
PID 1400 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\NewB.exe C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe
PID 2488 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe
PID 2488 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe
PID 2488 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe
PID 2488 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe
PID 2488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe
PID 2488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe
PID 2488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe
PID 2488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe
PID 2488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe
PID 2488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe
PID 2488 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe
PID 2488 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe
PID 2488 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe
PID 2488 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe
PID 2488 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe
PID 908 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 1012 N/A N/A C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 1012 N/A N/A C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 1012 N/A N/A C:\Windows\system32\cmd.exe
PID 2332 wrote to memory of 1816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\NewB.exe
PID 2332 wrote to memory of 1816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\NewB.exe
PID 2332 wrote to memory of 1816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\NewB.exe
PID 2332 wrote to memory of 1816 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\NewB.exe
PID 1012 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1012 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 1012 wrote to memory of 2652 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 908 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 3060 N/A N/A C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 3060 N/A N/A C:\Windows\system32\cmd.exe
PID 1408 wrote to memory of 3060 N/A N/A C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3060 wrote to memory of 1544 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2672 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1384 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1384 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1384 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\NewB.exe

"C:\Users\Admin\AppData\Local\Temp\NewB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN NewB.exe /TR "C:\Users\Admin\AppData\Local\Temp\NewB.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe"

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1x4.0.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240427162043.log C:\Windows\Logs\CBS\CbsPersist_20240427162043.cab

C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe

"C:\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe"

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

"C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe"

C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe

"C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {8C41AD5D-085A-4A39-8F62-3F1CB1A43A08} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\F9A.bat" "

C:\Users\Admin\AppData\Local\Temp\NewB.exe

C:\Users\Admin\AppData\Local\Temp\NewB.exe

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\5A61.bat" "

C:\Windows\system32\reg.exe

reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\NewB.exe

C:\Users\Admin\AppData\Local\Temp\NewB.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\7DBA.exe

C:\Users\Admin\AppData\Local\Temp\7DBA.exe

C:\Users\Admin\AppData\Local\Temp\8098.exe

C:\Users\Admin\AppData\Local\Temp\8098.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x59c

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Network

Country Destination Domain Proto
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 file-host-host0.com udp
RU 194.87.210.219:80 file-host-host0.com tcp
US 8.8.8.8:53 parrotflight.com udp
US 104.21.84.71:443 parrotflight.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 junglethomas.com udp
US 172.67.197.33:443 junglethomas.com tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 note.padd.cn.com udp
RO 176.97.76.106:80 note.padd.cn.com tcp
DE 185.172.128.62:80 185.172.128.62 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 194.87.210.219:80 trad-einmyus.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.244:80 download.iolo.net tcp
FR 185.93.2.244:443 download.iolo.net tcp
US 8.8.8.8:53 sdfjhuz.com udp
MX 189.141.134.164:80 sdfjhuz.com tcp
US 8.8.8.8:53 www.cartomatto.com udp
IT 89.46.110.32:443 www.cartomatto.com tcp
IT 89.46.110.32:443 www.cartomatto.com tcp
US 8.8.8.8:53 rajflowers.com udp
IN 111.118.215.174:443 rajflowers.com tcp
IN 111.118.215.174:443 rajflowers.com tcp
US 8.8.8.8:53 nessotechbd.com udp
US 192.185.16.114:443 nessotechbd.com tcp
US 192.185.16.114:443 nessotechbd.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.200.14:443 drive.google.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 file.emailfucker.club udp
NL 91.92.253.69:80 tcp
DE 185.172.128.62:80 185.172.128.62 tcp
RU 91.215.85.66:15647 tcp
DE 185.149.146.222:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
NL 185.154.13.143:80 tcp
US 8.8.8.8:53 c3d7a4bb-3866-4841-b096-ccb98dc578f8.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 transfer.adttemp.com.br udp
US 104.196.109.209:443 transfer.adttemp.com.br tcp
US 104.196.109.209:443 transfer.adttemp.com.br tcp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
BG 94.232.45.38:80 94.232.45.38 tcp
RU 193.233.132.187:80 193.233.132.187 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\1000228001\ISetup8.exe

MD5 73f40e4d6b322bf4d7c8b18d120af5c7
SHA1 533e7400d1264fe8fb740366e700c035224f83d1
SHA256 9317408100896c9251defb1a2f2cfca2627ac72dce9f4d7f0d5c3bfdc736e179
SHA512 c1e2e2cfa9dc2f829c7bdda1af9dd432a19ff8f3818a1a3ad1b73d6f08f666cbf5cbfb6573e75a7cb0b5288aeccfda6927e5723337a0e822b892fb1d6f280260

C:\Users\Admin\AppData\Local\Temp\1000229001\toolspub1.exe

MD5 2c8f5e7a9e670c3850b2de0d2f3758b2
SHA1 42409c886411ce73c1d6f07bbae47bf8f2db713c
SHA256 bc113ed2bff68b7cf9dd805ec562bffc04fbadcf75a16df1ec6fcfa6b479f5ce
SHA512 1237d9fbc5cfd97e2377c56143a100daeeff8e71ffa90c4fa7227eab94b3edf841e8ca8b68a8ed8c18d9cc03457a4c246a98147ab317079650bcf88877211454

C:\Users\Admin\AppData\Local\Temp\1000230001\4767d2e713f2021e8fe856e3ea638b58.exe

MD5 6ed714c1a56743f32ed097b0b79e1be2
SHA1 dc6cd1493016221d853ba8cb84623aee5fc7fde1
SHA256 18cbd445ca637b452e9ca89911ab9b30f0adf60a35c2569a42ae13dcd5a44bf9
SHA512 a1a6a1abda4504859b0a0c21bf2e41485c608a01038f207c6636bf191cc824cbe9ce2fd02e247737e32904e5b89b2b88830af3daf024d8da8d5fbf7521e1005c

\Users\Admin\AppData\Local\Temp\u1x4.0.exe

MD5 3b577ad55734b8ab5e8362c15fdcb327
SHA1 5ce0b10cc6ad018ff59a28da1ca2b43608742ee6
SHA256 2c1f6bfc7bd1e82f941ca19a108bc7bc455b1d140becddd151d6f9c119104ad6
SHA512 ec2178ba7b47b7be8bc41f4f46aca4fd5259631c89084b3f1ef56d7564fe0a42c48fb774b8ad22ee6c95bb01bea0a010460d5effa6d3635d3b94b7f780eb1791

memory/1332-68-0x0000000003300000-0x00000000036F8000-memory.dmp

memory/1408-85-0x0000000002550000-0x0000000002566000-memory.dmp

memory/2612-86-0x0000000000400000-0x0000000002AF3000-memory.dmp

memory/2488-89-0x0000000000400000-0x0000000002B1F000-memory.dmp

memory/1732-91-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\U1X41~1.ZIP

MD5 78d3ca6355c93c72b494bb6a498bf639
SHA1 2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e
SHA256 a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001
SHA512 1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

\Users\Admin\AppData\Local\Temp\u1x4.2\run.exe

MD5 9fb4770ced09aae3b437c1c6eb6d7334
SHA1 fe54b31b0db8665aa5b22bed147e8295afc88a03
SHA256 a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3
SHA512 140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

C:\Users\Admin\AppData\Local\Temp\u1x4.2\relay.dll

MD5 10d51becd0bbce0fab147ff9658c565e
SHA1 4689a18112ff876d3c066bc8c14a08fd6b7b7a4a
SHA256 7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed
SHA512 29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

memory/1616-204-0x0000000003050000-0x0000000003448000-memory.dmp

memory/1332-205-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1x4.2\whale.dbf

MD5 a723bf46048e0bfb15b8d77d7a648c3e
SHA1 8952d3c34e9341e4425571e10f22b782695bb915
SHA256 b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422
SHA512 ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

memory/1732-209-0x0000000000400000-0x0000000002AFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1x4.3.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

C:\Users\Admin\AppData\Local\Temp\u1x4.2\bunch.dat

MD5 1e8237d3028ab52821d69099e0954f97
SHA1 30a6ae353adda0c471c6ed5b7a2458b07185abf2
SHA256 9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742
SHA512 a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

memory/2488-226-0x0000000000400000-0x0000000002B1F000-memory.dmp

memory/908-240-0x00000000738C0000-0x0000000073A34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u1x4.2\UIxMarketPlugin.dll

MD5 d1ba9412e78bfc98074c5d724a1a87d6
SHA1 0572f98d78fb0b366b5a086c2a74cc68b771d368
SHA256 cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15
SHA512 8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

memory/908-241-0x00000000773A0000-0x0000000077549000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9A.bat

MD5 55cc761bf3429324e5a0095cab002113
SHA1 2cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256 d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA512 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

memory/1384-260-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1732-251-0x0000000000400000-0x0000000002AFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 c6d91e344d40daf770619e4b23022777
SHA1 5c3785ac50ef2d0ed9c3bff8ea47d8bf181929f6
SHA256 c5fa42bfc9c125a173c6380f1c11868d3dc7e7939cb07d672ef8ee2bf11cf382
SHA512 6cb7f6111741ea09ce1654c8db0d5e581ed7ee23e4497f89a6a7dde0678a704323b8f24351d7d54c3ca09d09ecc897d344c5df6fac24d8f15f14b64818e0da06

memory/908-277-0x00000000738C0000-0x0000000073A34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\210fd6b8

MD5 bf9ca379b76c6d143560c6f541ca01ef
SHA1 0ca27578897d77420783fb875875f57ef1844b34
SHA256 e0c57fdfc5db93d63637a16588cae781a735a6a83d4086e852bdc17b9a98fbe7
SHA512 66f11ca01ec59951b62acddff6dd436bbb7901e0ab31b31c681c68046dde0846b8d9996564f636662e13f502eba43aaf590e7f16de91decfb63e177ded142045

memory/2672-280-0x00000000773A0000-0x0000000077549000-memory.dmp

memory/1384-327-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2672-339-0x00000000738C0000-0x0000000073A34000-memory.dmp

memory/2032-346-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2032-345-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b59fa018a74c63735571be4f6698c14b
SHA1 13dd1b7718fd0625fa21ed0c6d327995580d6cb7
SHA256 4f9f5c0b1f3032178f7b128dd6197218215b0d721f25c54d8a46e629412ca151
SHA512 448985f3d98bceaae799e3571c919a1cc75f76984b3a9569aabd3efb448314ccf9d60ff8652dce36fc0cbba1e5df1cd9b03a5dc2b718581abc2a6381bf6ceadd

memory/2032-343-0x0000000072620000-0x0000000073682000-memory.dmp

memory/1384-356-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2044-357-0x0000000000C50000-0x0000000004548000-memory.dmp

memory/2032-358-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1732-361-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/2044-369-0x000000001EE00000-0x000000001EF10000-memory.dmp

memory/2044-370-0x00000000001A0000-0x00000000001B0000-memory.dmp

memory/2044-371-0x00000000003E0000-0x00000000003EC000-memory.dmp

memory/2044-375-0x00000000003D0000-0x00000000003E4000-memory.dmp

memory/2044-376-0x000000001E540000-0x000000001E564000-memory.dmp

memory/2044-378-0x0000000005C80000-0x0000000005C8A000-memory.dmp

memory/2044-379-0x000000001E680000-0x000000001E6AA000-memory.dmp

memory/2044-389-0x000000001F370000-0x000000001F422000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpBB16.tmp

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

memory/2044-390-0x000000001F1D0000-0x000000001F24A000-memory.dmp

memory/2044-391-0x00000000005B0000-0x0000000000612000-memory.dmp

memory/2044-392-0x0000000000170000-0x000000000017A000-memory.dmp

memory/2044-396-0x000000001F820000-0x000000001FB20000-memory.dmp

memory/2044-405-0x0000000000190000-0x000000000019A000-memory.dmp

memory/2044-404-0x0000000000190000-0x000000000019A000-memory.dmp

memory/1732-398-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/1616-399-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/1616-421-0x0000000000400000-0x0000000002EDD000-memory.dmp

memory/112-426-0x0000000003220000-0x0000000003618000-memory.dmp

memory/1732-428-0x0000000000400000-0x0000000002AFA000-memory.dmp

memory/2044-430-0x0000000000C20000-0x0000000000C42000-memory.dmp

memory/2044-429-0x0000000000590000-0x000000000059A000-memory.dmp

memory/2044-433-0x0000000000C40000-0x0000000000C4C000-memory.dmp

memory/2044-438-0x0000000000190000-0x000000000019A000-memory.dmp

memory/2044-437-0x0000000000190000-0x000000000019A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\81950f7e7cbd108086cf2da3a401afdfffc60d9b485aac5dd52f7a137c00f950\5f02821b3b014a4a9a6208d949f0d125.tmp

MD5 e2fcbe6249e5facd593ec7fe15155ddf
SHA1 e4a1e1e277cd9acd5eac7c2a463096f4a9332888
SHA256 ea9276b6d452c317fd51c6b7fd9b7179bf477493cc4751ac7f94731297fecf10
SHA512 ab1254b3efcf6b3869064005be6b0d612e616851347112fd80b7232000c3f779ac13a2c617f9d5b30b683cd9180d8623694b31ffa69ad3996f2c59fd861d8c0b

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2880-450-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2880-465-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76054224f1450055e41baf5f1035f43d
SHA1 65b88ba52c426d98d155a6752fd0cf531b07ac98
SHA256 0ea95e59bac41ab2fc10ec7f93e1c5063e5ba85853179442e05417052c7610fa
SHA512 4f73ef9785a76fb9e132c9d4a9f8cac28aa2bf82f18357fe50ea5c200ba715654c19d9f9e26ff26498324e6f0a7824e41a096286cf17a5757670dd6299af3fd1

C:\Users\Admin\AppData\Local\Temp\Cab4CF8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar5074.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5183.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 7a9126da05051a261ee301834e383799
SHA1 7ea01d58e39ce7afc9d777574651fa6104aa3a43
SHA256 4c88b5eb5fbba88247e698fb117f87e0259de9b2980efe34a50b58dbc26e551a
SHA512 47d515c34bf2f60ee9ac286911955c81a52980925b27863520303747b746f4742c768fd4758d78f64d2d41861c7cb9764e3c5dd4f8c4b29e366593909cfbb6b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/112-536-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DBA.exe

MD5 9185b776b7a981d060b0bb0d7ffed201
SHA1 427982fb520c099e8d2e831ace18294ade871aff
SHA256 91a45c416324ed3a8c184e349214e7c82d6df0df4fe6d06f3c7818c0d322373b
SHA512 cb46ca0c3156dc7b177fdb73869e13b229cbab8918dbb4b61a854765313fc9526aa5d7b944aa4b9acb77717c5ffd8fe955ba4eb48d75e2528ec844bfcf4aa5e8

C:\Users\Admin\AppData\Local\Temp\8098.exe

MD5 76cc1840745c9cce9eaa409d1ebb11c1
SHA1 bd438dd999190b467dad2bdfa8377510ddec4b37
SHA256 3001ba1834dec1ebf51bea5245f8cd2c7c9421a80258a83a829cb1492acba10a
SHA512 5a895f47471b697a6ffc51cd3acd731a11c725210d4e6a038a965051cabcf70ce3f498502544fc944e7bccf1be40e1314a049bc32b55bd37fc9d3c1ab50cc793

memory/1408-553-0x00000000021C0000-0x00000000021C1000-memory.dmp

memory/2960-555-0x0000000000400000-0x0000000002B11000-memory.dmp

memory/112-556-0x0000000000400000-0x0000000002EDD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/112-591-0x0000000000400000-0x0000000002EDD000-memory.dmp