Malware Analysis Report

2024-11-30 20:08

Sample ID 240509-dgaq6shf59
Target 6fbe36ef1d6599968f107c7b6eb19225.bin
SHA256 505605b429f8062d45de5fcae156f055a44f3becbc94637d7037e18e1c5c33cb
Tags
glupteba stealc zgrat discovery dropper evasion execution loader persistence ransomware rat rootkit stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

505605b429f8062d45de5fcae156f055a44f3becbc94637d7037e18e1c5c33cb

Threat Level: Known bad

The file 6fbe36ef1d6599968f107c7b6eb19225.bin was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion execution loader persistence ransomware rat rootkit stealer trojan upx

ZGRat

Stealc

Detect ZGRat V1

Glupteba

UAC bypass

Windows security bypass

Glupteba payload

Modifies boot configuration data using bcdedit

Drops file in Drivers directory

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Command and Scripting Interpreter: PowerShell

Drops startup file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Adds Run key to start application

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Modifies system certificate store

System policy modification

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 02:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 02:58

Reported

2024-05-09 03:00

Platform

win7-20240220-en

Max time kernel

146s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\TsbzrGwdFeGowf8aDwNbXsvi.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A

ZGRat

rat zgrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NVFHYqknkEZoUtnsdDhxDDDr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSJGAzxcsSuGHsntvBWauSpe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4hp3uuru7iT9S7cq9CyMxNFP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Iym9SxCjIUWn14n5iKuXKmHC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5RIQhQfN3oY2k2tn3IiV1IWc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KHRF44Ek620QxpnapStFjJlW.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZteNRohBcWLkPTgxH6Mc4ZoA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\TsbzrGwdFeGowf8aDwNbXsvi.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2076 set thread context of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240509025827.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u28c.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u28c.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u28c.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u28c.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u28c.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-22 = "Cape Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-272 = "Greenwich Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-491 = "India Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-11 = "Azores Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-572 = "China Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
N/A N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
N/A N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
N/A N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
N/A N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
N/A N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
N/A N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
N/A N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
N/A N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
N/A N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
N/A N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
N/A N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
N/A N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2076 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\system32\WerFault.exe
PID 2076 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\system32\WerFault.exe
PID 2076 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\system32\WerFault.exe
PID 2360 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe
PID 2360 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe
PID 2360 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe
PID 2360 wrote to memory of 2892 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe
PID 2360 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe
PID 2360 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe
PID 2360 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe
PID 2360 wrote to memory of 1584 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe
PID 2892 wrote to memory of 2408 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Users\Admin\AppData\Local\Temp\u28c.0.exe
PID 2892 wrote to memory of 2408 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Users\Admin\AppData\Local\Temp\u28c.0.exe
PID 2892 wrote to memory of 2408 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Users\Admin\AppData\Local\Temp\u28c.0.exe
PID 2892 wrote to memory of 2408 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Users\Admin\AppData\Local\Temp\u28c.0.exe
PID 2892 wrote to memory of 1628 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Windows\system32\bcdedit.exe
PID 2892 wrote to memory of 1628 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Windows\system32\bcdedit.exe
PID 2892 wrote to memory of 1628 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Windows\system32\bcdedit.exe
PID 2892 wrote to memory of 1628 N/A C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe C:\Windows\system32\bcdedit.exe
PID 412 wrote to memory of 2580 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 2580 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 2580 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\system32\cmd.exe
PID 412 wrote to memory of 2580 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2580 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2580 wrote to memory of 2680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2360 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe
PID 2360 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe
PID 2360 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe
PID 2360 wrote to memory of 2428 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe
PID 412 wrote to memory of 2884 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\rss\csrss.exe
PID 412 wrote to memory of 2884 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\rss\csrss.exe
PID 412 wrote to memory of 2884 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\rss\csrss.exe
PID 412 wrote to memory of 2884 N/A C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe C:\Windows\rss\csrss.exe
PID 2360 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe
PID 2360 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe
PID 2360 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe
PID 2360 wrote to memory of 1772 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe
PID 2360 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe
PID 2360 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe
PID 2360 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe
PID 2360 wrote to memory of 2068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe
PID 2884 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2884 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2884 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 2884 wrote to memory of 2984 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 1628 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\u28c.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1628 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\u28c.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1628 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\u28c.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2076 -s 928

C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe

"C:\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe"

C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe

"C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240509025827.log C:\Windows\Logs\CBS\CbsPersist_20240509025827.cab

C:\Users\Admin\AppData\Local\Temp\u28c.0.exe

"C:\Users\Admin\AppData\Local\Temp\u28c.0.exe"

C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe

"C:\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe"

C:\Users\Admin\AppData\Local\Temp\u28c.1.exe

"C:\Users\Admin\AppData\Local\Temp\u28c.1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe

"C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe

"C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe"

C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe

"C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe"

C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe

"C:\Users\Admin\Pictures\rl11hFeWSeDmRkt0XxA8ZDBw.exe"

C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe

"C:\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe

"C:\Users\Admin\Pictures\ToHkvPghXOiWf3lY32FtQzCI.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.4.235:443 pastebin.com tcp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 yip.su udp
RU 193.233.132.234:80 tcp
RU 193.233.132.234:80 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.193.79:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.79.77:443 yip.su tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 104.21.31.124:443 jonathantwo.com tcp
US 104.21.60.76:443 firstfirecar.com tcp
US 104.21.31.124:443 jonathantwo.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.248:80 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 server1.datadumpcloud.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.sipgate.net udp
US 162.159.130.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
US 8.8.8.8:53 carsalessystem.com udp
DE 185.172.128.150:80 tcp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 udp
US 20.157.87.45:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.9.155.145:443 tcp
N/A 20.9.155.145:443 tcp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
BG 185.82.216.104:443 server1.datadumpcloud.org tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
DE 185.172.128.150:80 tcp

Files

memory/2076-0-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/2076-1-0x0000000000DE0000-0x0000000000E0A000-memory.dmp

memory/2076-2-0x0000000000850000-0x00000000008AE000-memory.dmp

memory/2076-3-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2360-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2360-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2360-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2360-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1976-21-0x000000001B570000-0x000000001B852000-memory.dmp

memory/1976-22-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

memory/1976-20-0x0000000002A00000-0x0000000002A80000-memory.dmp

memory/2360-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2360-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2360-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2360-8-0x0000000000400000-0x0000000000408000-memory.dmp

\Users\Admin\Pictures\9MrQ8w3pipoP41OdO4F1hwSC.exe

MD5 830ca2606715fd6b7e3c505e48fb3981
SHA1 4ee89fbbdd4982120f5223bbbd6c5e2a14f3f178
SHA256 c5e99a29023acdc26c1acc3313f38be017cf2d254e4a95af68cd246bbd9f45a7
SHA512 2474047b586574857ad4d1d51ed70db41e3f9cb748d9efeb85f8ca486037d578cb71acb5a788f32c2f6017276d62d826be8638b2c8e26d8b6e16146a611b805a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3682.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

\Users\Admin\Pictures\TsbzrGwdFeGowf8aDwNbXsvi.exe

MD5 f5f50605dde6046858bbd38295e10734
SHA1 49023dd468951c62e763d81201da16c0160a8814
SHA256 5e78965522de207305a894b1aa7643cc44238b52ee2f1532e4e7f9270648b68d
SHA512 fb8fc4e8756b8f761651bf30ca1e8d06e77c7f42f78ce30aa947244246363a65fc2caba12c7c55bb91cb7db118e11cffe7459c7a1bf99116f2e9a30ea755c9cf

memory/1584-135-0x0000000004220000-0x0000000004618000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u28c.0.exe

MD5 8a9a1b742b75353c203f733b24d071ff
SHA1 1e390f6625abeaf1b8155ed4a356547047429c01
SHA256 ab5504a33a8bc3ac59151aa8c10e03600eca853df87a8080e3fdff8b0dc409f1
SHA512 df684e2538811b4c71df55493502bf6736a419ea61e45bac6f40e9efd6504e19a214382ac2ab692c082dff69923124df54e3a820529e7c2ddf5e962fdf5ea78d

memory/1584-153-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28430753db73a8194ce1ead98641d5ef
SHA1 b05539d6a9df697edf6f51a810b8f04f749dbde6
SHA256 c5a1209560ccc8fabec87adf6cccf0b7ca9bc4fe590055707476a5e9db319d6a
SHA512 d9786c983f021796dd69618eb0a5c035ceacb96fb2c9a78fbe9380556a465b3f110b4363e99de2719300f3d09177a25785e2813b609f93f2bca7fc5501a2ed9b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

memory/412-189-0x0000000004200000-0x00000000045F8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0e00427208781642b076a1c8ac581466
SHA1 a18bc250d713a8df69fbd4626da7d96a6522d33a
SHA256 fbe9d70c692f8dc002b8f6c1987a8d7fd1ab9a870b492b30ee5da6d34648769e
SHA512 386e13957baff6bed1cc826b6907592e48001bfd564a5989a3319f63591573361fe9a871894cbc44c9f0df6e7b9783fd969da3ceb3790a298083dc5873fef2ed

C:\Users\Admin\AppData\Local\Temp\u28c.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2892-236-0x0000000000400000-0x0000000002597000-memory.dmp

\Users\Admin\Pictures\Qbjc6qw2j57sXt3AlV26zP8N.exe

MD5 a4a8dc8b0e657d58f55b5ea1a52650e3
SHA1 69475443fc00e3ba6a4d2c0f9aa498f2fae90cc0
SHA256 bf2dbea28bbe31217a2d7fde93ab43179a1d745e301b7e4195c0eb7c5a5a3eb3
SHA512 4f8b0be2127d9e70fca3bd051897f52f9a3567be468f2d8dc9cf93e5a90b85bf9bc15cd2706842d4b829b3230af6677b5a0f233791e05f1a767c70f2ad013416

memory/412-260-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2428-287-0x0000000004130000-0x0000000004528000-memory.dmp

memory/2884-292-0x00000000041A0000-0x0000000004598000-memory.dmp

memory/1772-293-0x00000000041D0000-0x00000000045C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 3aaf1cbbdadfd5212409f4e270d7e6f8
SHA1 d1e9fc3eda0bba080833a7398f890d36b46fe9bc
SHA256 776af717dc17ccc5594af5e42cf20bc7d564efba258a11c4f936deef37f8a2e5
SHA512 fe943d98931cb40088c176722f508abd0b16d740cb86c7b0d3c4131a8393054edaccb86a773d73c1b9dad60ed9904bfa4b31409858e69bbf49ff17e4fc791eae

memory/2068-305-0x00000000042B0000-0x00000000046A8000-memory.dmp

memory/1772-308-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1548-309-0x0000000004300000-0x00000000046F8000-memory.dmp

memory/2428-313-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1924-314-0x00000000042C0000-0x00000000046B8000-memory.dmp

memory/2068-317-0x0000000000400000-0x0000000002957000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1548-326-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/1628-333-0x0000000000400000-0x00000000008AD000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

memory/3032-335-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 719ff16ea8987bc3bbec40cd5230aa0a
SHA1 40555e02ed7fb112490573284e53c6859bba83e0
SHA256 2c47b704cb6cc1978279fa5642ea0f529d14852c57fa3db9d38a01f109fd2bf9
SHA512 664cdc4759f2a1c1f481aa730b453a9f22b986508b5e3e5048b35d52b6ae51026f202b01d9b53fc42ad94e55e1075a91c754a285c367993dcaf18ce2f2607864

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/3032-357-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2884-358-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1924-349-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2408-332-0x0000000000400000-0x0000000002574000-memory.dmp

memory/992-327-0x0000000004380000-0x0000000004778000-memory.dmp

memory/992-359-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1628-376-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2496-377-0x00000000003F0000-0x0000000003C24000-memory.dmp

memory/2496-416-0x0000000003D40000-0x0000000003D4C000-memory.dmp

memory/2496-417-0x0000000003CF0000-0x0000000003D04000-memory.dmp

memory/2496-418-0x0000000005880000-0x00000000058A4000-memory.dmp

memory/2496-430-0x000000001F3E0000-0x000000001F492000-memory.dmp

memory/2496-429-0x000000001E2F0000-0x000000001E31A000-memory.dmp

memory/2496-428-0x000000001DDE0000-0x000000001DDEA000-memory.dmp

memory/2496-435-0x000000001DDF0000-0x000000001DDFA000-memory.dmp

memory/2496-415-0x0000000003CE0000-0x0000000003CF0000-memory.dmp

memory/2496-407-0x000000001ED00000-0x000000001EE0A000-memory.dmp

memory/2496-439-0x000000001FDF0000-0x00000000200F0000-memory.dmp

memory/2496-449-0x000000001E320000-0x000000001E32A000-memory.dmp

memory/2076-448-0x000007FEF5693000-0x000007FEF5694000-memory.dmp

memory/2496-452-0x000000001E540000-0x000000001E562000-memory.dmp

memory/2496-451-0x000000001EB60000-0x000000001EBC2000-memory.dmp

memory/2496-450-0x000000001E430000-0x000000001E43A000-memory.dmp

memory/2496-455-0x000000001EA40000-0x000000001EA4C000-memory.dmp

memory/2076-456-0x000007FEF5690000-0x000007FEF607C000-memory.dmp

memory/2884-464-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\bd92d7984d802ff9a1e24336bd1ccb4209c69a1bd116225cd9479ac9d0f516c4\b4f6d847ff9d4aa1b98739a1d49b1d66.tmp

MD5 d5e961881da5ac74bffc364eef9a632d
SHA1 364b64c175eb374e55b3bbb582f1f0b570e15a58
SHA256 b0e155b3f069a065a005ce1c71743d98aa23471e1c4af7c28e73129a7d9827b0
SHA512 4dfa9f63b37c1a178c22d322f30c5bd046adb361e8140d403b0775daafa786d21346646512d9b98388638cd8886fc59cbe6a6d9e698b577178575b28e2e71395

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/2884-481-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/2884-503-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2248-509-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1656-512-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2248-513-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2408-514-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1656-515-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2884-519-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2884-524-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2884-527-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1656-528-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2884-530-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2408-535-0x0000000000400000-0x0000000002574000-memory.dmp

memory/2884-538-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2884-541-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1656-542-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2884-549-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2884-552-0x0000000000400000-0x0000000002957000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 02:58

Reported

2024-05-09 03:01

Platform

win10v2004-20240226-en

Max time kernel

66s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6yQbrQi0sv0G2TdJ7vwQEAk7.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OsszhNJbAfoyEZa52VjekIny.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hgmZp3SlbDWyGE4tyOX9sZH3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\diB4k3H7knkkHYsLRIKl2S2x.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6mXSr85Z8pFoSrUXkIPn7vic.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bETkp0CAqB5odeTh5hAT6BVl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BwaCChzBdPyCVrxSXUAIHXHT.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4028 set thread context of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 320 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4028 wrote to memory of 3796 N/A C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 320 wrote to memory of 3128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe
PID 320 wrote to memory of 3128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe
PID 320 wrote to memory of 3128 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe
PID 320 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe
PID 320 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe
PID 320 wrote to memory of 1712 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe
PID 320 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe
PID 320 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe
PID 320 wrote to memory of 1996 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe
PID 320 wrote to memory of 4196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe
PID 320 wrote to memory of 4196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe
PID 320 wrote to memory of 4196 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe
PID 320 wrote to memory of 4552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe
PID 320 wrote to memory of 4552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe
PID 320 wrote to memory of 4552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe

"C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ca70a19b730b569ccdd5a903f7cbb98a0ac40a62a77b3d817b65c0f0c9a37620.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4160 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe

"C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe"

C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe

"C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe"

C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe

"C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe"

C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe

"C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe"

C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe

"C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe"

C:\Users\Admin\AppData\Local\Temp\u2ew.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2ew.0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u2ew.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2ew.1.exe"

C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe

"C:\Users\Admin\Pictures\ZBJN4arHrVsEOzqKTXFsaZVI.exe"

C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe

"C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe"

C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe

"C:\Users\Admin\Pictures\2htccXJDHMut0zfN238yw0Dd.exe"

C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe

"C:\Users\Admin\Pictures\Vp64UwtDs5acXvXL2pp0uf6K.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 realdeepai.org udp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
RU 193.233.132.234:80 tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.169.89:443 yip.su tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 8.8.8.8:53 192.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 14.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.79.201.138.in-addr.arpa udp
US 8.8.8.8:53 131.176.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.244:443 download.iolo.net tcp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 tcp
DE 185.172.128.150:80 tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp

Files

memory/4028-0-0x00007FF894143000-0x00007FF894145000-memory.dmp

memory/4028-1-0x000001EC6E840000-0x000001EC6E86A000-memory.dmp

memory/4028-2-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/4028-3-0x000001EC70770000-0x000001EC707CE000-memory.dmp

memory/3996-4-0x00007FF894140000-0x00007FF894C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ajfksskg.xwl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3996-11-0x0000021AECE40000-0x0000021AECE62000-memory.dmp

memory/3996-15-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/3996-16-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/4028-17-0x00007FF894143000-0x00007FF894145000-memory.dmp

memory/3996-18-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/320-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/3996-20-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/3996-23-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/4028-24-0x00007FF894140000-0x00007FF894C01000-memory.dmp

memory/4028-25-0x00007FF894140000-0x00007FF894C01000-memory.dmp

C:\Users\Admin\AppData\Local\oZBbPyyasrrIGjhS12gRukrG.exe

MD5 f5f50605dde6046858bbd38295e10734
SHA1 49023dd468951c62e763d81201da16c0160a8814
SHA256 5e78965522de207305a894b1aa7643cc44238b52ee2f1532e4e7f9270648b68d
SHA512 fb8fc4e8756b8f761651bf30ca1e8d06e77c7f42f78ce30aa947244246363a65fc2caba12c7c55bb91cb7db118e11cffe7459c7a1bf99116f2e9a30ea755c9cf

C:\Users\Admin\Pictures\uHCu9FwLpNnmQ1bpIviWuW8w.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\76rQIBXB9tgY2uy68cp90h7C.exe

MD5 830ca2606715fd6b7e3c505e48fb3981
SHA1 4ee89fbbdd4982120f5223bbbd6c5e2a14f3f178
SHA256 c5e99a29023acdc26c1acc3313f38be017cf2d254e4a95af68cd246bbd9f45a7
SHA512 2474047b586574857ad4d1d51ed70db41e3f9cb748d9efeb85f8ca486037d578cb71acb5a788f32c2f6017276d62d826be8638b2c8e26d8b6e16146a611b805a

C:\Users\Admin\Pictures\Q8mQg4eyBvnVMeKO3lK1aP83.exe

MD5 949f191270e024e75823b32174f15754
SHA1 e2685aee44aaee2bc87888ee7c86d77bba313eae
SHA256 c3356a89f9d9962232df6a5d6dbfb42a9e2b2578b2a8d89c20b61c4c2e72c71c
SHA512 d3eea70b18938ab93b4d659a0dcb793ab1f440614763b005c9e3f9bf36e4ad49c87cd9d436d2821c34c194a6ec384c57351be4bf9164caaf269046d29c01a55a

C:\Users\Admin\Pictures\78U9Lg3sTRdvRg6Zj0o0ElyM.exe

MD5 a4a8dc8b0e657d58f55b5ea1a52650e3
SHA1 69475443fc00e3ba6a4d2c0f9aa498f2fae90cc0
SHA256 bf2dbea28bbe31217a2d7fde93ab43179a1d745e301b7e4195c0eb7c5a5a3eb3
SHA512 4f8b0be2127d9e70fca3bd051897f52f9a3567be468f2d8dc9cf93e5a90b85bf9bc15cd2706842d4b829b3230af6677b5a0f233791e05f1a767c70f2ad013416

C:\Users\Admin\AppData\Local\Temp\u2ew.0.exe

MD5 8a9a1b742b75353c203f733b24d071ff
SHA1 1e390f6625abeaf1b8155ed4a356547047429c01
SHA256 ab5504a33a8bc3ac59151aa8c10e03600eca853df87a8080e3fdff8b0dc409f1
SHA512 df684e2538811b4c71df55493502bf6736a419ea61e45bac6f40e9efd6504e19a214382ac2ab692c082dff69923124df54e3a820529e7c2ddf5e962fdf5ea78d

memory/2624-112-0x0000000002C70000-0x0000000002CA6000-memory.dmp

memory/2624-113-0x00000000053F0000-0x0000000005A18000-memory.dmp

memory/2624-116-0x0000000005B70000-0x0000000005BD6000-memory.dmp

memory/2624-115-0x0000000005AD0000-0x0000000005AF2000-memory.dmp

memory/2624-117-0x0000000005BE0000-0x0000000005C46000-memory.dmp

memory/5056-150-0x0000000005A40000-0x0000000005D94000-memory.dmp

memory/1996-120-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1712-114-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4196-124-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3128-135-0x0000000000400000-0x0000000002597000-memory.dmp

memory/4552-141-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5056-159-0x0000000006050000-0x000000000606E000-memory.dmp

memory/2624-160-0x00000000062B0000-0x00000000062FC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2ew.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3128-171-0x0000000000400000-0x0000000002597000-memory.dmp

memory/1708-176-0x0000000006090000-0x00000000060D4000-memory.dmp

memory/3184-182-0x0000000007200000-0x0000000007276000-memory.dmp

memory/2624-189-0x0000000007630000-0x000000000764A000-memory.dmp

memory/3184-187-0x0000000007900000-0x0000000007F7A000-memory.dmp

memory/1996-184-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1712-183-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4196-185-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4552-186-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2792-188-0x0000000000400000-0x0000000002574000-memory.dmp

memory/1708-192-0x000000006FF60000-0x000000006FFAC000-memory.dmp

memory/1708-203-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/2624-193-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/5056-213-0x000000006FF60000-0x000000006FFAC000-memory.dmp

memory/3184-226-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/1708-232-0x0000000007140000-0x00000000071E3000-memory.dmp

memory/2624-223-0x00000000077E0000-0x00000000077FE000-memory.dmp

memory/5056-215-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/3184-214-0x000000006FF60000-0x000000006FFAC000-memory.dmp

memory/2624-191-0x000000006FF60000-0x000000006FFAC000-memory.dmp

memory/2624-190-0x0000000007800000-0x0000000007832000-memory.dmp

memory/1708-237-0x0000000007220000-0x000000000722A000-memory.dmp

memory/1708-238-0x00000000072E0000-0x0000000007376000-memory.dmp

memory/3184-239-0x00000000075D0000-0x00000000075E1000-memory.dmp

memory/5192-240-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/3184-253-0x0000000007190000-0x000000000719E000-memory.dmp

memory/1712-249-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 ee000392c77faca58255d97a4a14ba88
SHA1 1dfc5481274476e2cf9a7c6a26669c072aed70fe
SHA256 c45e96b30c7c2178b4b5aa2a08870ed5baaedc91b174638a6bb77a1e3f417033
SHA512 509259dd6c73bc9aae74f992750f6a0a45a08d110777b999afd7d5b89388cabae39cf55f3499df725128670db988dca1e6db758057b0535408a80631c7d69a80

memory/4196-251-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1996-250-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5056-262-0x0000000007780000-0x0000000007794000-memory.dmp

memory/4552-252-0x0000000000400000-0x0000000002957000-memory.dmp

memory/3184-263-0x0000000007710000-0x000000000772A000-memory.dmp

memory/1708-264-0x0000000007380000-0x0000000007388000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 40fe137aba28ed0d23c85887f50c1b43
SHA1 297b57df47dd2e79cadd5269065a82d5519fb3d2
SHA256 2e8f3cd136a7399b42eb677df211c63082e612eb35dd41b42aad49571c4d4f65
SHA512 b3a91ae34223ec2d11425957c1d831feed7ff7d1c6fdca234939bf4cba9a61a7b43421c4637ebe3680ee6600db06688f7ca577ec01d3123864c1f48adb975c8c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a6ea7bfcd3aac150c0caef765cb52281
SHA1 037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256 f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512 c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

memory/4196-277-0x0000000000400000-0x0000000002957000-memory.dmp

memory/4552-278-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 5409d2a8bbea3dc8c3531a98be4fcd98
SHA1 17a5081808019672a367a727251131b4d004c410
SHA256 da1ca706e3bf0861e947c9d9ea8a0796d11039bb2fced796ba4002f52ef4f2db
SHA512 1322c51c6f0c4c3f95e2e8cc1a6f5a726d31b0e7489339cd6e128f7b9c7879ca1e4012d9fd0a9896ef7719727c12d09ebddad68ed1ff026a6fc660972f72e8c2

memory/1712-291-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5192-294-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1996-292-0x0000000000400000-0x0000000002957000-memory.dmp

memory/2792-293-0x0000000000400000-0x0000000002574000-memory.dmp

memory/5708-299-0x0000029026DA0000-0x000002902A5D4000-memory.dmp

memory/5368-309-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5520-310-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5468-315-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1920-316-0x0000000000400000-0x0000000002957000-memory.dmp

memory/6052-335-0x0000000005F00000-0x0000000005F4C000-memory.dmp

memory/5708-336-0x0000029044F00000-0x000002904500A000-memory.dmp

memory/5708-338-0x000002902AAD0000-0x000002902AADC000-memory.dmp

memory/5708-337-0x000002902AA50000-0x000002902AA60000-memory.dmp

memory/5956-339-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/6060-340-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/6060-351-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/6060-372-0x00000000073A0000-0x0000000007443000-memory.dmp

memory/6052-362-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/6052-361-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/5956-341-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/5708-373-0x000002902AAC0000-0x000002902AAD4000-memory.dmp

memory/5956-375-0x0000000007750000-0x0000000007761000-memory.dmp

memory/5708-374-0x000002902AAF0000-0x000002902AB14000-memory.dmp

memory/2792-378-0x0000000000400000-0x0000000002574000-memory.dmp

memory/5368-379-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5468-381-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5520-380-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1920-382-0x0000000000400000-0x0000000002957000-memory.dmp

memory/6052-383-0x0000000007470000-0x0000000007484000-memory.dmp

memory/5708-384-0x000002902C3E0000-0x000002902C3EA000-memory.dmp

memory/5708-385-0x0000029044D20000-0x0000029044D4A000-memory.dmp

memory/5708-386-0x0000029045150000-0x0000029045202000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e0293f462430a4ac3f216b43befb60ef
SHA1 e209b5a44655d35ab61e6ec006eb5460a98f4b44
SHA256 9d40b287471bc7873ded5750e09dfa6c5c68a636b8ad24355f25d73d21395a05
SHA512 af54d5b5f3241f0a76eae6be8608ec11ee09bf0e07519ac37b28c14118645a27836a02bb5ca5129a1287f4a7773343a70bc826936df4b6a4e4f0434915390cef

memory/5708-389-0x0000029044DA0000-0x0000029044DF0000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f3187626aa4d1247f5b1e01334a1a44a
SHA1 cf6bf9b5b87960b867d3a3f4f18ca96252429356
SHA256 d5c54838391db0a48cbacacdc89a66a595ba28fd4a02049332ab2bddc96228d5
SHA512 23ea78775cf5ca1853078e87edb7c5221563b1c1549f43df4d211571832c826c91754af38541003db06494a8cf2d2a146ebdaf0fb28f9e5d2210cc21f266bdf8

memory/5708-395-0x000002902AAA0000-0x000002902AAAA000-memory.dmp

memory/5708-399-0x0000029045230000-0x0000029045530000-memory.dmp

memory/1332-453-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/4752-452-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/4752-475-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/1332-451-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/3044-454-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/3044-442-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/2364-443-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/2364-441-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/2792-487-0x0000000000400000-0x0000000002574000-memory.dmp

memory/5368-488-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5520-489-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1920-491-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5468-490-0x0000000000400000-0x0000000002957000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 507b1820b04d2db50927b89b37b22165
SHA1 a8e79d65abe0658ddbf512f7fb36ee4be4cac8f0
SHA256 f58222e78d229ed685a0d4f1763f859a07a809683b04c0f3b2b9b566c10994c1
SHA512 495f20cbfd79381fcd2d693153bebb2ac693c91f88c5c269f14f19b12f47f1bad1b03421d988432e7975b8cbf84c7800ebfec71e9e9ccadf5d40c33d5a57bd14

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d6bee93993e322c0dc4e412a435d48de
SHA1 b4d44a1b4075bf145d1cde9c06ae66f7a325ce83
SHA256 66b9f387a63e87fc00f8cd3dbeeb4d5286451223fb52058eb9f3955f3ac8f8a8
SHA512 021fb15419afe6fc6d684cb5169b06214af672709ff40407a97cd5b52b9d8e6da40dee6db73e9a1c3857008d0ca601fa9ca16d6dc7b1c860299526a1cd9c0bd2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e4bad2348ba8331514d45aa6182358ac
SHA1 f9f4cd048ad37c6640b9481fb79d2a5cc1a11ee6
SHA256 fe4f691e5abcdeb1cce022e04f3bc018d4f9b4968c4529e726eb4ae12b06ada6
SHA512 359ad4ef8fb9fdc9a70514c25230e7cb3d49f6e1daf51457789fc22521be338930dc6b75ef53957d103117e43054cb201a3fe7bf745d1501340c9b25e9243015

memory/5708-517-0x0000029045540000-0x0000029045548000-memory.dmp

memory/5708-537-0x00000290455C0000-0x00000290455F8000-memory.dmp

memory/5708-538-0x0000029045590000-0x000002904559E000-memory.dmp

memory/5708-539-0x00000290455B0000-0x00000290455B8000-memory.dmp

memory/5368-543-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5520-544-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5468-545-0x0000000000400000-0x0000000002957000-memory.dmp

memory/1920-546-0x0000000000400000-0x0000000002957000-memory.dmp

memory/5648-547-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/3180-549-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/5844-570-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/3180-560-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/416-580-0x000000006F4A0000-0x000000006F4EC000-memory.dmp

memory/416-581-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/5648-550-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/5844-548-0x000000006F4A0000-0x000000006F4EC000-memory.dmp