Malware Analysis Report

2024-11-15 08:44

Sample ID 240510-brglcsae6v
Target 5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe
SHA256 5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f
Tags
glupteba stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f

Threat Level: Known bad

The file 5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer trojan upx

Stealc

ZGRat

Windows security bypass

Detect ZGRat V1

Glupteba payload

Glupteba

UAC bypass

Detects executables containing URLs to raw contents of a Github gist

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects Windows executables referencing non-Windows User-Agents

Modifies boot configuration data using bcdedit

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables packed with or use KoiVM

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

UPX dump on OEP (original entry point)

Detects encrypted or obfuscated .NET executables

Detects executables containing artifacts associated with disabling Widnows Defender

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables (downlaoders) containing URLs to raw contents of a paste

Detects executables Discord URL observed in first stage droppers

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Drops startup file

UPX packed file

Windows security modification

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Reads data files stored by FTP clients

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

Manipulates WinMon driver.

Adds Run key to start application

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Program crash

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

System policy modification

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 01:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 01:22

Reported

2024-05-10 01:25

Platform

win7-20240215-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F2LuyPGDl9UMeeJs2PsL6d5n.exe = "0" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\NgBlONli6MyRcs4oApFuwB8v.exe = "0" C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jHsi51dPIgen6vovr3mGN3oR.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A

ZGRat

rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with or use KoiVM

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bqX4q2Ol7i2x6LtRT9ii8jDx.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Vw1F77jpda3oHTLysmBWaFlB.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sWWuA1OMhPKZfhd8EiGm0dsB.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SwALkCMNGnliOTuthGFP0FYz.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ceGhCFpaJCT3oBaNQbliicQH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6uBeO7l90pZW3tqkvqgqSTKS.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trGkd00f0jbJCeyWQkYQKYDL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1s0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1s0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F2LuyPGDl9UMeeJs2PsL6d5n.exe = "0" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\NgBlONli6MyRcs4oApFuwB8v.exe = "0" C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\jHsi51dPIgen6vovr3mGN3oR.exe = "0" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240510012244.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1s0.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1s0.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u1s0.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u1s0.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u1s0.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
N/A N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
N/A N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
N/A N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
N/A N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
N/A N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
N/A N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
N/A N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
N/A N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
N/A N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
N/A N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
N/A N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
N/A N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
N/A N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u1s0.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1772 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
PID 1772 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\system32\WerFault.exe
PID 1772 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\system32\WerFault.exe
PID 1772 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\system32\WerFault.exe
PID 2712 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe
PID 2712 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe
PID 2712 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe
PID 2712 wrote to memory of 1500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe
PID 2712 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe
PID 2712 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe
PID 2712 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe
PID 2712 wrote to memory of 708 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe
PID 2712 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe
PID 2712 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe
PID 2712 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe
PID 2712 wrote to memory of 2136 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe
PID 2712 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe
PID 2712 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe
PID 2712 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe
PID 2712 wrote to memory of 2304 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe
PID 2320 wrote to memory of 2960 N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 2960 N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 2960 N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 2960 N/A C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe C:\Windows\system32\cmd.exe
PID 2960 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2960 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2960 wrote to memory of 2768 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2804 wrote to memory of 2944 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 2944 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 2944 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\system32\cmd.exe
PID 2804 wrote to memory of 2944 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\system32\cmd.exe
PID 2944 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2944 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2944 wrote to memory of 2780 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe
PID 2804 wrote to memory of 2820 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\rss\csrss.exe
PID 2804 wrote to memory of 2820 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\rss\csrss.exe
PID 2804 wrote to memory of 2820 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\rss\csrss.exe
PID 2804 wrote to memory of 2820 N/A C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe C:\Windows\rss\csrss.exe
PID 2604 wrote to memory of 1740 N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 1740 N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 1740 N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe C:\Windows\system32\cmd.exe
PID 2604 wrote to memory of 1740 N/A C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1772 -s 848

C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe

"C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe"

C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe

"C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240510012244.log C:\Windows\Logs\CBS\CbsPersist_20240510012244.cab

C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe

"C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe"

C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe

"C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe"

C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe

"C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe"

C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe

"C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe

"C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe"

C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe

"C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe

"C:\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\u1s0.0.exe

"C:\Users\Admin\AppData\Local\Temp\u1s0.0.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\u1s0.1.exe

"C:\Users\Admin\AppData\Local\Temp\u1s0.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 yip.su udp
RU 193.233.132.234:80 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.193.79:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 172.67.169.89:443 yip.su tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 jonathantwo.com udp
US 172.67.176.131:443 jonathantwo.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 8.8.8.8:53 firstfirecar.com udp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 d6369ab1-ff5a-4fc2-a4d1-23282565e010.uuid.alldatadump.org udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
DE 185.172.128.228:80 tcp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:80 download.iolo.net tcp
US 20.157.87.45:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 204.79.197.219:443 tcp
SE 192.229.221.95:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 20.9.155.150:443 tcp
US 8.8.8.8:53 udp
SE 192.229.221.95:80 tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server3.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun1.l.google.com udp
BG 185.82.216.108:443 server3.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.108:443 server3.alldatadump.org tcp

Files

memory/1772-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/1772-1-0x00000000000A0000-0x00000000000AA000-memory.dmp

memory/1772-2-0x0000000002010000-0x000000000206E000-memory.dmp

memory/1772-3-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2600-8-0x0000000002A40000-0x0000000002AC0000-memory.dmp

memory/2600-9-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2600-10-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

memory/2712-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2712-15-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2712-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2712-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2712-20-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2712-21-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2712-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2712-22-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2DB7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2F9D.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar307E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b90dac16bbe441dc30e3f2535490f0df
SHA1 084099eec19c0924c8ec2b0dc2b915832fc29fb8
SHA256 9705aa249ad7c47eec4d1ec97af8e0d75509d2b88b760aeff1d66a10205b0a8e
SHA512 4683fa692f83bfcf0e6f6a9c4c3335d37c8c216da85102449e532c62e992d7a6043ae60f7c66ad591b09326b3eee18553f76c7e6f6ee8c03ff1dcaf8c7dba14f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 294b2f78e0f5d07c9d781addbc0858ca
SHA1 fb4269ccf99443f9c16385ba6fecfd6ddcc69902
SHA256 f5c9f5b4ca518c68ceab9bdf968da177e41cdfdaaf5b185c3c0250fa0e8eef1f
SHA512 02042d52c64a26e2961b9c01c1e9849c6d5ee7b0c81b8f2e4e8e8441c9736a1e48f37f66e455f2dc133aaa0348666dc7f91b75a2ed482b3712cfbd1244918add

C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe

MD5 34e8369309638e9468c65df8d546e9ec
SHA1 f6296bdb66b9f188a9093d0f2e3edaf3dfd5ed9f
SHA256 bc09d4cc90b0e7b582c6ed7010277377aff00042d7469cb2e9f11f775cef4605
SHA512 b792981f6e855fcab23dbb078f5aa2398c6c4175b4b151a656174b756de936bc388d2fa2c8432a9b9120256e5db9ebbfca38a12d60bc085f744988ef1a726c48

memory/1500-172-0x00000000031F0000-0x00000000035E8000-memory.dmp

memory/708-184-0x0000000002F30000-0x0000000003328000-memory.dmp

\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe

MD5 b4edadf4b8fc4c176cef6830ab7d3177
SHA1 6f93a98295f5b4a514870db5c50d000f3d644264
SHA256 241ec7b24544cef6c5762622c25c91621f0dd20c9154dcf20c83932d2c3496e5
SHA512 dc727e1cbe252fdfbc866ac4dad3d256038535b32d437d8d17e537c8723b1b8f51da6e0de4a7ac53295cf091fcf93591907f1bd2487618c542bc96e8616232dc

C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe

MD5 f20e81522dfa1a0bc82088ca9165af18
SHA1 d7fa828e6592bb94c1b60fbdbe3a21d217145323
SHA256 90e8cfe2dc4ee40715f8d25bca67f4ff7d9cb0b2ee3fe7436951d861e7a0f89e
SHA512 3bae0065729478ed9200c58ec0363cf5f06ca7401f62c2df4431cb70968760221a6c80add41471bdc2fafc3497caa66d28f4dd06a2dbc9d004e42c612bd8624a

memory/2136-197-0x00000000030A0000-0x0000000003498000-memory.dmp

C:\Users\Admin\Pictures\jHsi51dPIgen6vovr3mGN3oR.exe

MD5 b1b897b35a72c8a795bab7a7850a7041
SHA1 3d7fefc4e2cbb148a05c6d244925a999282f49f6
SHA256 205034103150d565d085da11a2861bec4b800e620a818e78fe6b3dfc96c7ef42
SHA512 25c3982631181e4bd190c106b03e869903bd099b7476704a92f440e3f10a8a5810bd16f7b3f87b5dd9ecfea843cf960e44e0e6ace2366d50c4236be6481923af

memory/2804-200-0x00000000030C0000-0x00000000034B8000-memory.dmp

C:\Users\Admin\Pictures\F2LuyPGDl9UMeeJs2PsL6d5n.exe

MD5 d7b826b6afcdc453bbcfec7612012024
SHA1 9f7e5abdc6b0b838faf56c12f93fcac82131a4e1
SHA256 8ebfb0a261d2332f69a8fe499a4af93e5298340bcb5846f4c98bbadaf2ec3812
SHA512 15e061c32561151473ccd16d0d2f814634ebdd3f56b5e2a3eb80bff07aa5fd0fa2a26c54119a8461b2e59e6603dc6bd6f34231fc13352affc1dc3aaa9791e33d

memory/2320-202-0x00000000030F0000-0x00000000034E8000-memory.dmp

memory/708-203-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1500-204-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\Pictures\O05cSDQhdrVskWPUlp2qyBtR.exe

MD5 58abc76e3bf16ebe939c3fb841129b5b
SHA1 8860684923c2d64551ca6175ea63e34e11e89599
SHA256 8773907e6db3869856293c19c8fbee567854ca17e8c4dd580ee8a05fe3f1b0a7
SHA512 ab3964c57c1ce0b4db2da147b40f0c058b65848c4fe21a7fc4f6fa026378d7b0861005a4111a9ea469245b0ff75d31c3db3550204951783637a77e2c559a4aef

C:\Users\Admin\Pictures\NgBlONli6MyRcs4oApFuwB8v.exe

MD5 d34dc724304b2356982c555aa92f8bcc
SHA1 7f128e5cc1a6577fc8e109451316c977bd3b4db0
SHA256 060418d5424b39a031bf7ba01045a8dbbce2f8aa26712eb18831111630e7a2ca
SHA512 9bc20dfea0f10655f10790f2483f6864de6441f3a0212c3d94de8b155a89bfe834e9d836f9dfa33ed825aee2b5fc3eb0169e2f33c734897733df94076e5e4093

memory/2604-216-0x00000000030C0000-0x00000000034B8000-memory.dmp

memory/2136-217-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2492-230-0x0000000003050000-0x0000000003448000-memory.dmp

\Users\Admin\Pictures\vZrLF5GFVHoAt8olITDSKUPp.exe

MD5 b5cefdaa3baf3106eaac1389edac2eb9
SHA1 ca8f379ca3c565c459d4bd84fa0f5e68ceee3ff7
SHA256 046300b1c955500c85d8b26f69494758015f53c94ea9a64df27b183f939a656a
SHA512 2c42a1acd3582de3363d036c8389b300d477e3944bc15e6cdd387acdd2eef2e5950acbceb22013678fd915a2df150848ddcc76bc7e56af78e7598c3c36b7357c

C:\Windows\rss\csrss.exe

MD5 9d9d8f10b7cf4ac07ad801583da10867
SHA1 44f62c6b466b7b24e6d4ce836c07ac50a5092ce8
SHA256 eb0e4112feb0aca67f19d419d6e309a74b3482bad45d5352860dd0ee9a05ffdf
SHA512 2c2f3a8d18a45f037e8b8f8a73482bf12322f6b057f198aea756d8c8a02f5039257e14813878035fb4842926c2522e8e26d75ad1c9e3afc0941753c56707a5e1

memory/2820-244-0x00000000031A0000-0x0000000003598000-memory.dmp

\Windows\rss\csrss.exe

MD5 5d0412e2b76f8348bb64a25fcbb9d5f7
SHA1 eaa4c395a7932ace0b327108158095aadd3cde26
SHA256 963fa82b410b947db4fb4db8de3ffc6efc37ece176f34731a107a18c01495b8d
SHA512 16276c968a66ee13fd3f7d6587a23b344066b712e19f5d7fe90591bdf2e59ccd5cea8f7817030639900bbdf442eaccaf99773b205ff045d85992643fad2f36bd

memory/2804-245-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2320-246-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2328-250-0x0000000003220000-0x0000000003618000-memory.dmp

memory/2492-249-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2604-251-0x0000000000400000-0x0000000002ED5000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2328-253-0x0000000000400000-0x0000000002ED5000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1s0.0.exe

MD5 a33065159222d4c22e581ea419285701
SHA1 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354
SHA256 ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2
SHA512 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79

memory/2988-273-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 c41c3be9c15587a82952179c1c4467e3
SHA1 4015bd6d980e260c3bf759c37ef1463fd4d88bc2
SHA256 ab3ca69ff0282d028f4b8460e921d37553e98ebf12c6a9f8c6741875d889e9d3
SHA512 17c69a1d66c53d82036806e82fe849570052853839eeefde1f9cb4ec5e3628ed7dc3d06d453b9f35fd7cf51abb8006c78322841ad37829d6b87638fc7060f4a5

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 5d4da2e9bb55c5a352fbd486505176a1
SHA1 6b1d06db1301292cfce31031e4bcb08cb29bb669
SHA256 3e2168e94fe2af3c14fc985a852aeee83ede6f068b84809254941dfd045c7158
SHA512 22a0eeed4389cb1b458ca4d8fa644ed35d2d2c06e164fadf3054f6207a593704abbe4b9e53908ab540c2b844a501f75d30cb6125c28b08e677111a4de92b8e01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d4d8020ed8ff9f0286fd9f95d5bbb40e
SHA1 d941f29e2ae3fcbf7f2f77ac9134ca2d0f918957
SHA256 b4309feb211924eb8b86228e2cdf27d83b41e373cddd9e71dbfbe57e3e478582
SHA512 178ed968cf1ac4b01bde8c3482374e45a69b4906d5715cdeb7cfcb48befa1b0e4ade22fe67080259398ac39bd85acbf168bfd35286805218552d402ff34c7d9a

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

memory/2988-259-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1772-347-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/1772-352-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2304-351-0x0000000000400000-0x0000000002B1E000-memory.dmp

memory/2624-364-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2820-387-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2624-391-0x0000000000400000-0x0000000002AF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\u1s0.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2304-406-0x0000000000400000-0x0000000002B1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 85091ed3ade176044a043c9f4ae8f102
SHA1 ebab0a99a57c54a73971f5a030a575819505edf6
SHA256 cb16a38763f2eba2c4bf5e940303a1c2e5ba1dc18affe5f81d1d79c1635c30da
SHA512 4daf88a0cd5051fc781f2f334220c8a04de5538ad7bb016bb43fe13eba51a05da6c8461c8ce57be6cec63e295026f914558cfe701a7e9423426c39a2d4eaa2fa

memory/2820-436-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2624-437-0x0000000000400000-0x0000000002AF1000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1908-465-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2716-471-0x0000000001340000-0x0000000004B74000-memory.dmp

memory/2716-472-0x000000001EE00000-0x000000001EF0A000-memory.dmp

memory/2716-475-0x0000000000420000-0x0000000000434000-memory.dmp

memory/2716-474-0x0000000000590000-0x000000000059C000-memory.dmp

memory/2716-476-0x000000001DF80000-0x000000001DFA4000-memory.dmp

memory/2716-473-0x0000000000410000-0x0000000000420000-memory.dmp

memory/2716-485-0x000000001E940000-0x000000001E9F2000-memory.dmp

memory/2716-484-0x0000000000BA0000-0x0000000000BCA000-memory.dmp

memory/2716-483-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/2716-490-0x0000000000200000-0x000000000020A000-memory.dmp

memory/2716-494-0x000000001FC20000-0x000000001FF20000-memory.dmp

memory/2716-497-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2716-496-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2716-498-0x0000000001320000-0x000000000132A000-memory.dmp

memory/2716-500-0x000000001E450000-0x000000001E472000-memory.dmp

memory/2716-499-0x000000001EC00000-0x000000001EC62000-memory.dmp

memory/2716-503-0x0000000001330000-0x000000000133C000-memory.dmp

memory/2820-505-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2624-508-0x0000000000400000-0x0000000002AF1000-memory.dmp

memory/2716-515-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2716-514-0x0000000000BE0000-0x0000000000BEA000-memory.dmp

memory/2624-516-0x0000000000400000-0x0000000002AF1000-memory.dmp

memory/2820-517-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\252e99e709753c2ab04b66e213ab7d72cfdb494a7016e07d23bc17fe7cebab94\114f703f588b497a85fb5ee818fd93f2.tmp

MD5 da71942d08254b3cb61f31f6cbe6f8e0
SHA1 cdaaa45d2f050fd4f1dcf4960750b12a85a2c5d5
SHA256 8eb68f6d24c5bf7ace5b154a4888869a2bb96e42c697bd1fa11d0f405c881d39
SHA512 1b976ae5cfe11c3ee298a816905d781ac2fd324cbaabbf5dce7da9df9430d2a2a6ba5a5ab2643a72d939b57c81ff93fa9257013f6ed26f64f7b95cc3af160101

memory/2820-523-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2820-532-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2820-533-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2820-534-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2820-540-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2820-541-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/2820-552-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/2820-571-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/2972-575-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2972-578-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2100-577-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2100-579-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2820-580-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 01:22

Reported

2024-05-10 01:25

Platform

win10v2004-20240426-en

Max time kernel

126s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

ZGRat

rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects encrypted or obfuscated .NET executables

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables (downlaoders) containing URLs to raw contents of a paste

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with or use KoiVM

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u17k.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GQ9tnjegOxoyMS83VeIh8toI.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vxgASbyFTXVGQgL6sDY2fRFd.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9NzhKNQz300b2QDz7FlPbSBM.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vGdHarNVYg02klBCVIKzo8z9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2qa3BrEk8J3HFQbNTT1c6csl.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iRC6nErVYhm4dGmM0B1SQ2FY.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\O8KNYHAVL9ByxCGAY7g7M4jE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4692 set thread context of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\u17k.0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u17k.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u17k.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u17k.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u17k.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u17k.0.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2771 = "Omsk Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe N/A
N/A N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
N/A N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe N/A
N/A N/A C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe N/A
N/A N/A C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe N/A
N/A N/A C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u17k.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u17k.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4692 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4692 wrote to memory of 3820 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 3820 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe
PID 3820 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe
PID 3820 wrote to memory of 1568 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe
PID 3820 wrote to memory of 4280 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe
PID 3820 wrote to memory of 4280 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe
PID 3820 wrote to memory of 4280 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe
PID 3820 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe
PID 3820 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe
PID 3820 wrote to memory of 4260 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe
PID 3820 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe
PID 3820 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe
PID 3820 wrote to memory of 3256 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe
PID 3820 wrote to memory of 3908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe
PID 3820 wrote to memory of 3908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe
PID 3820 wrote to memory of 3908 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe
PID 4280 wrote to memory of 4492 N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4492 N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4280 wrote to memory of 4492 N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3872 N/A C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3872 N/A C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4260 wrote to memory of 3872 N/A C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 3172 N/A C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe C:\Users\Admin\AppData\Local\Temp\u17k.0.exe
PID 1568 wrote to memory of 3172 N/A C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe C:\Users\Admin\AppData\Local\Temp\u17k.0.exe
PID 1568 wrote to memory of 3172 N/A C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe C:\Users\Admin\AppData\Local\Temp\u17k.0.exe
PID 3256 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3256 wrote to memory of 2508 N/A C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 3436 N/A C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 3436 N/A C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3908 wrote to memory of 3436 N/A C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1568 wrote to memory of 1940 N/A C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe C:\Users\Admin\AppData\Local\Temp\u17k.1.exe
PID 1568 wrote to memory of 1940 N/A C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe C:\Users\Admin\AppData\Local\Temp\u17k.1.exe
PID 1568 wrote to memory of 1940 N/A C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe C:\Users\Admin\AppData\Local\Temp\u17k.1.exe
PID 1940 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\u17k.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 1940 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\Temp\u17k.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 2996 wrote to memory of 1916 N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1916 N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2996 wrote to memory of 1916 N/A C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe

"C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe"

C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe

"C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe"

C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe

"C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe"

C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe

"C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe"

C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe

"C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u17k.0.exe

"C:\Users\Admin\AppData\Local\Temp\u17k.0.exe"

C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe

"C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe"

C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe

"C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe

"C:\Users\Admin\Pictures\Nvvo3V00xwntl4w3HDd7Y2jv.exe"

C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe

"C:\Users\Admin\Pictures\laQmv2StdmivmKQEoXqUBnQn.exe"

C:\Users\Admin\AppData\Local\Temp\u17k.1.exe

"C:\Users\Admin\AppData\Local\Temp\u17k.1.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3172 -ip 3172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3172 -s 2268

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.3.235:443 pastebin.com tcp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 nic-it.nl udp
US 8.8.8.8:53 realdeepai.org udp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 yip.su udp
US 172.67.169.89:443 yip.su tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 235.3.20.104.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 103.79.201.138.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 104.21.60.76:443 firstfirecar.com tcp
US 104.21.60.76:443 firstfirecar.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 8.8.8.8:53 192.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 14.90.21.104.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 76.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 131.176.67.172.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 185.93.2.246:443 download.iolo.net tcp
GB 92.123.140.25:80 tcp
GB 92.123.140.25:80 tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 145.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 150.128.172.185.in-addr.arpa udp

Files

memory/4692-1-0x00007FFD234B3000-0x00007FFD234B5000-memory.dmp

memory/4692-0-0x000001C271B40000-0x000001C271B4A000-memory.dmp

memory/4692-2-0x000001C273F70000-0x000001C273FCE000-memory.dmp

memory/4692-3-0x00007FFD234B0000-0x00007FFD23F71000-memory.dmp

memory/3820-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3mhkni0x.h5e.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4540-14-0x00007FFD234B0000-0x00007FFD23F71000-memory.dmp

memory/4540-17-0x0000022CA21C0000-0x0000022CA21D0000-memory.dmp

memory/4540-16-0x0000022CA21C0000-0x0000022CA21D0000-memory.dmp

memory/3820-15-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/4540-18-0x0000022CA23D0000-0x0000022CA23F2000-memory.dmp

memory/4540-21-0x00007FFD234B0000-0x00007FFD23F71000-memory.dmp

memory/4692-22-0x00007FFD234B0000-0x00007FFD23F71000-memory.dmp

C:\Users\Admin\Pictures\qMU6YU1TvUaAsisVB8bNTl36.exe

MD5 949f191270e024e75823b32174f15754
SHA1 e2685aee44aaee2bc87888ee7c86d77bba313eae
SHA256 c3356a89f9d9962232df6a5d6dbfb42a9e2b2578b2a8d89c20b61c4c2e72c71c
SHA512 d3eea70b18938ab93b4d659a0dcb793ab1f440614763b005c9e3f9bf36e4ad49c87cd9d436d2821c34c194a6ec384c57351be4bf9164caaf269046d29c01a55a

C:\Users\Admin\Pictures\0gQ9iBEnHQjUSlELC7H1MAnZ.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\ayieBndRbByWcvTewT2T9FaC.exe

MD5 58abc76e3bf16ebe939c3fb841129b5b
SHA1 8860684923c2d64551ca6175ea63e34e11e89599
SHA256 8773907e6db3869856293c19c8fbee567854ca17e8c4dd580ee8a05fe3f1b0a7
SHA512 ab3964c57c1ce0b4db2da147b40f0c058b65848c4fe21a7fc4f6fa026378d7b0861005a4111a9ea469245b0ff75d31c3db3550204951783637a77e2c559a4aef

C:\Users\Admin\Pictures\eIMDy4Rn0qbzHovjZAzn3Jtp.exe

MD5 34e8369309638e9468c65df8d546e9ec
SHA1 f6296bdb66b9f188a9093d0f2e3edaf3dfd5ed9f
SHA256 bc09d4cc90b0e7b582c6ed7010277377aff00042d7469cb2e9f11f775cef4605
SHA512 b792981f6e855fcab23dbb078f5aa2398c6c4175b4b151a656174b756de936bc388d2fa2c8432a9b9120256e5db9ebbfca38a12d60bc085f744988ef1a726c48

C:\Users\Admin\Pictures\gn5aEjk7v0GI5iPeYv7I55ow.exe

MD5 b4edadf4b8fc4c176cef6830ab7d3177
SHA1 6f93a98295f5b4a514870db5c50d000f3d644264
SHA256 241ec7b24544cef6c5762622c25c91621f0dd20c9154dcf20c83932d2c3496e5
SHA512 dc727e1cbe252fdfbc866ac4dad3d256038535b32d437d8d17e537c8723b1b8f51da6e0de4a7ac53295cf091fcf93591907f1bd2487618c542bc96e8616232dc

memory/3820-115-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

memory/4492-116-0x0000000003060000-0x0000000003096000-memory.dmp

memory/4492-117-0x0000000005950000-0x0000000005F78000-memory.dmp

memory/3872-118-0x00000000053B0000-0x00000000053D2000-memory.dmp

memory/3872-120-0x00000000054C0000-0x0000000005526000-memory.dmp

memory/3872-133-0x0000000005C80000-0x0000000005FD4000-memory.dmp

memory/3872-119-0x0000000005450000-0x00000000054B6000-memory.dmp

memory/3872-140-0x0000000006280000-0x000000000629E000-memory.dmp

memory/3872-141-0x00000000062A0000-0x00000000062EC000-memory.dmp

memory/1568-142-0x0000000000400000-0x0000000002B1E000-memory.dmp

memory/4492-143-0x0000000006B20000-0x0000000006B64000-memory.dmp

memory/4492-144-0x0000000007750000-0x00000000077C6000-memory.dmp

memory/4492-146-0x0000000008050000-0x00000000086CA000-memory.dmp

memory/3872-145-0x0000000007620000-0x000000000763A000-memory.dmp

memory/3872-148-0x00000000077E0000-0x0000000007812000-memory.dmp

memory/3872-172-0x0000000007840000-0x00000000078E3000-memory.dmp

memory/3872-173-0x0000000007930000-0x000000000793A000-memory.dmp

memory/3872-162-0x0000000007820000-0x000000000783E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u17k.0.exe

MD5 a33065159222d4c22e581ea419285701
SHA1 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354
SHA256 ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2
SHA512 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79

memory/4492-182-0x0000000007DC0000-0x0000000007E56000-memory.dmp

memory/4492-183-0x0000000007D20000-0x0000000007D31000-memory.dmp

memory/4492-156-0x000000006FC50000-0x000000006FFA4000-memory.dmp

memory/3872-151-0x000000006FC50000-0x000000006FFA4000-memory.dmp

memory/4492-187-0x0000000007D60000-0x0000000007D6E000-memory.dmp

memory/3872-188-0x00000000079A0000-0x00000000079B4000-memory.dmp

memory/3872-190-0x00000000079D0000-0x00000000079D8000-memory.dmp

memory/3872-189-0x0000000007A90000-0x0000000007AAA000-memory.dmp

memory/4492-150-0x000000006FA80000-0x000000006FACC000-memory.dmp

memory/3872-149-0x000000006FA80000-0x000000006FACC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a6ea7bfcd3aac150c0caef765cb52281
SHA1 037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256 f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512 c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d4f2f98cc0d69ad1e47ae0760a882734
SHA1 08b869056371f9062cdebc4cdd88473ef825e3fc
SHA256 75f12d32df46285dfe4c37a432fae725628d4665b32764270454c51e4858140e
SHA512 c5a42c7c859612159ab687a26bd94b1fbec277eeec8eba94eac891925cd46bb0d5ff9a5521dab69ab63f6e8c36927e8bac8b37b0340d58bbdbac44c3bae6b7d8

memory/4260-208-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/4280-209-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3256-211-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2508-213-0x00000000062B0000-0x00000000062FC000-memory.dmp

memory/2508-214-0x000000006FA90000-0x000000006FADC000-memory.dmp

memory/2508-225-0x0000000007320000-0x00000000073C3000-memory.dmp

memory/2508-215-0x000000006FC50000-0x000000006FFA4000-memory.dmp

memory/2508-226-0x0000000007460000-0x0000000007471000-memory.dmp

memory/2508-236-0x0000000005B30000-0x0000000005B44000-memory.dmp

memory/3256-239-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3436-241-0x000000006FA90000-0x000000006FADC000-memory.dmp

memory/3436-242-0x000000006FC50000-0x000000006FFA4000-memory.dmp

memory/3908-255-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u17k.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b88d7a362814eea48b5f900513c6bf12
SHA1 17a00d7698ddbaa0691739d5941b648c0f704638
SHA256 97fcd8264f67a476aa581d678ed36b345963a0bf7b548c782f94254f27291805
SHA512 5bf2c4649b559cfbcd3a38b32810b470f3914fa7a7ade7103972c6b7d74af1fa0e0a2db348e17fb84d3800447aad0faa68ec574fc0887462de8da1282d6a67ef

memory/1568-276-0x0000000000400000-0x0000000002B1E000-memory.dmp

memory/1940-294-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0f8983e98d3db8898873de64d9052eac
SHA1 f2980fc80c5d0d588c57af79a4dd4264ac600277
SHA256 3d11cf8b21d587bc9a9073bc0af56b87e603ef16bcc255ade6c90dd05a4495ff
SHA512 f9537faec97df9004c127725748fc06344b61125ba89ce41b3a0d17568e952c45d754055e70d8ae552206d12acf0eabcbafbe85ce25968a0ac47021a7aec623f

memory/1940-307-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/3244-310-0x0000021AF3120000-0x0000021AF6954000-memory.dmp

memory/3244-311-0x0000021AF9460000-0x0000021AF956A000-memory.dmp

memory/3244-313-0x0000021AF8EF0000-0x0000021AF8EFC000-memory.dmp

memory/3244-315-0x0000021AF8F40000-0x0000021AF8F64000-memory.dmp

memory/3244-314-0x0000021AF8EE0000-0x0000021AF8EF4000-memory.dmp

memory/3244-312-0x0000021AF86C0000-0x0000021AF86D0000-memory.dmp

memory/3244-316-0x0000021AF8F60000-0x0000021AF8F6A000-memory.dmp

memory/3244-317-0x0000021AF8F90000-0x0000021AF9042000-memory.dmp

memory/3244-318-0x0000021AF9360000-0x0000021AF938A000-memory.dmp

memory/3244-319-0x0000021AF93E0000-0x0000021AF9430000-memory.dmp

memory/3244-320-0x0000021AF8F80000-0x0000021AF8F8A000-memory.dmp

memory/3244-324-0x0000021AF96E0000-0x0000021AF99E0000-memory.dmp

memory/3244-326-0x0000021AFD320000-0x0000021AFD328000-memory.dmp

memory/3244-329-0x0000021AFD340000-0x0000021AFD348000-memory.dmp

memory/3244-328-0x0000021AFD330000-0x0000021AFD33E000-memory.dmp

memory/3244-327-0x0000021AFD9F0000-0x0000021AFDA28000-memory.dmp

memory/3244-332-0x0000021A98B60000-0x0000021A98B82000-memory.dmp

memory/3244-331-0x0000021A98B00000-0x0000021A98B62000-memory.dmp

memory/3244-330-0x0000021A98D80000-0x0000021A98D8A000-memory.dmp

memory/3244-333-0x0000021A992C0000-0x0000021A997E8000-memory.dmp

memory/3244-336-0x0000021A98B80000-0x0000021A98B8C000-memory.dmp

memory/3244-337-0x0000021AFDEF0000-0x0000021AFDF66000-memory.dmp

memory/3244-338-0x0000021AFDA30000-0x0000021AFDA4E000-memory.dmp

memory/3244-343-0x0000021AF8DA0000-0x0000021AF8EBF000-memory.dmp

memory/3172-360-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1916-392-0x00000000059C0000-0x0000000005D14000-memory.dmp

memory/1916-403-0x0000000005F30000-0x0000000005F7C000-memory.dmp

memory/1916-433-0x00000000071A0000-0x0000000007243000-memory.dmp

memory/1916-423-0x000000006F4F0000-0x000000006F844000-memory.dmp

memory/1916-422-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/1916-434-0x0000000007470000-0x0000000007481000-memory.dmp

memory/3172-438-0x0000000000400000-0x0000000002AF1000-memory.dmp

memory/1916-445-0x00000000074C0000-0x00000000074D4000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/3868-463-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/3868-464-0x000000006F4F0000-0x000000006F844000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bcc148abf18b67eecf19518354259ffe
SHA1 3862da0111871f93783ba350bf3f4ea27bd291ca
SHA256 359896a4f4b8f7930d7501e2771ebafe44e74359d8f1db4558ddda72a88bf69f
SHA512 063380f8ae524161bc9d2647f2fa4e3c783d58184500f637bef525b9f0c12b61351839dedf2286f8692d35a7ccc57d0236eeac59352ade8e1009250226cf1ba4

memory/1076-488-0x00000000063E0000-0x0000000006734000-memory.dmp

memory/2996-499-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/5080-500-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1076-503-0x000000006F4D0000-0x000000006F824000-memory.dmp

memory/1076-502-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/4972-513-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/4972-514-0x000000006F4D0000-0x000000006F824000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7b0876168fac864d6384bc68377b22db
SHA1 b3f10ea4e83f2aeb68ea7cdf03e0199b8a830e88
SHA256 464948867a8bb05a58d71a4eb826874f25d29408422ee2a7a753b8445bd9573b
SHA512 8d21c557a419950966e0801828b893286a5c33df6e24d05df489ee04bc6a10d42a28044db988b4b0529888e75ac7741f4b29e585b4650470f506abf568734ede

memory/5052-531-0x0000000005BA0000-0x0000000005EF4000-memory.dmp

memory/5052-552-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/5052-554-0x000000006F690000-0x000000006F9E4000-memory.dmp

memory/1404-567-0x000000006F690000-0x000000006F9E4000-memory.dmp

memory/1404-566-0x000000006F480000-0x000000006F4CC000-memory.dmp

memory/3172-565-0x0000000000400000-0x0000000002AF1000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf63bcd1d4fe4722edc91be16ce0ceea
SHA1 a8e4dfebbe6933f2b0144611695b838f02709973
SHA256 6b840d2ca60a1e157cca24d409ce325f93dfc5fb33995dfe27f0ff6d71df02be
SHA512 17a153b7f389c5fe4b7035d0e13534b86a16f2741d91ac25b255551983ae175bdcc4acb01117fe7f43144ba4a824df978d4462aa3d88187ea06ad76486b42ea0

memory/5080-584-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2996-586-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/1432-595-0x00000000060B0000-0x0000000006404000-memory.dmp

memory/1432-607-0x0000000006780000-0x00000000067CC000-memory.dmp

memory/1432-608-0x000000006F3A0000-0x000000006F3EC000-memory.dmp

memory/1432-619-0x0000000007980000-0x0000000007A23000-memory.dmp

memory/1432-609-0x000000006F480000-0x000000006F7D4000-memory.dmp

memory/1624-620-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3172-622-0x0000000000400000-0x0000000002AF1000-memory.dmp

memory/1432-623-0x0000000006560000-0x0000000006574000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eab1a336cf7158fdb38d554c29ae7cd6
SHA1 f35307cf159d10c6de4a82a6ef8c9e839a967faa
SHA256 976a71fea31574ac5ca668691fe1d9f9ba1d1d66eb23dae933cc1315dcfbf2e8
SHA512 44874c0a54a9078f11b5fae525d79582e547bdc5221b8c141c874300e0d5b9833be07ec295c7bb2d094c3b9693dac8cb4066a94313137a9c7c95d08f3e62505f

memory/2508-644-0x0000000006C40000-0x0000000006C8C000-memory.dmp

memory/2508-645-0x000000006FAB0000-0x000000006FAFC000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6749c3945e0c004dfe19ff1173f4dad8
SHA1 d12bb773f17bf1e725e84b3f985f18195c38652e
SHA256 ff805fde21fa086b9a2dc46b5af08e7cbc58b6f780a4156301c9b3b4dc2658db
SHA512 8c49f1d31492e14ac8e44d827ae14d3c928a86e2c233b5dd0b40f40c610050c3628a80cb0fae15d4c3bf01a808e191a746d1511c93ebbb715b39ec90f4dc86d0