Analysis Overview
SHA256
8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913
Threat Level: Known bad
The file d6078bbecc15a333c6171debc4488498.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Stealc
Modifies firewall policy service
Windows security bypass
ZGRat
UAC bypass
Detect ZGRat V1
PrivateLoader
Glupteba
Modifies boot configuration data using bcdedit
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Drops file in Drivers directory
Possible attempt to disable PatchGuard
Command and Scripting Interpreter: PowerShell
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Downloads MZ/PE file
Reads user/profile data of web browsers
Checks computer location settings
Reads data files stored by FTP clients
Windows security modification
Themida packer
Checks BIOS information in registry
UPX packed file
Drops startup file
Loads dropped DLL
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Manipulates WinMon driver.
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Manipulates WinMonFS driver.
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 04:05
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 04:05
Reported
2024-05-10 04:07
Platform
win7-20240215-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
PrivateLoader
Stealc
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Sumv9e2zZTPfbr2KJrMWLNxW.exe = "0" | C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\00fKWSRoAerNWHLuZOUwTWLf.exe = "0" | C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uTsEd5zaWAwTh2I5zhyQgn96.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dSRtB270COtELwP0avgpGVnT.exe = "0" | C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARjQUSHzQYtRWezpQRCfQhpA.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYMwLXrmZMiex6EUCXyUvaLi.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GkcKN5W0Qsc1Iu0iNolJG9YA.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ET1F8QmK4lwnrcepgBxgn0a9.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31qGBJcGUvOUxPWSwiaphdYR.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XqQTJm8eo9LYXK4iYRu71AFH.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B3hGdaAIo7EP8qbDaWdC7YgL.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Sumv9e2zZTPfbr2KJrMWLNxW.exe = "0" | C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dSRtB270COtELwP0avgpGVnT.exe = "0" | C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uTsEd5zaWAwTh2I5zhyQgn96.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\00fKWSRoAerNWHLuZOUwTWLf.exe = "0" | C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2220 set thread context of 2572 | N/A | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe | N/A |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240510040523.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u26o.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u26o.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u26o.1.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe
"C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2220 -s 808
C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe
"C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe"
C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe
"C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe"
C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe
"C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe"
C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe
"C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe"
C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe
"C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe"
C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe
"C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe"
C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
"C:\Users\Admin\AppData\Local\Temp\u26o.0.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240510040523.log C:\Windows\Logs\CBS\CbsPersist_20240510040523.cab
C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe
"C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe"
C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe
"C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe"
C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe
"C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe"
C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe
"C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe"
C:\Users\Admin\AppData\Local\Temp\u26o.1.exe
"C:\Users\Admin\AppData\Local\Temp\u26o.1.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 104.20.3.235:443 | pastebin.com | tcp |
| US | 104.21.79.77:443 | yip.su | tcp |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 8.8.8.8:53 | avgmc.xyz | udp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| RU | 193.233.132.234:80 | tcp | |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| RU | 5.42.96.64:80 | 5.42.96.64 | tcp |
| RU | 193.233.132.234:80 | tcp | |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 172.67.182.192:443 | onlycitylink.com | tcp |
| US | 172.67.182.192:443 | onlycitylink.com | tcp |
| RU | 84.38.181.36:443 | avgmc.xyz | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.193.220:443 | firstfirecar.com | tcp |
| US | 172.67.193.220:443 | firstfirecar.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| GB | 85.192.56.26:80 | 85.192.56.26 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.150:80 | 185.172.128.150 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | iplogger.com | udp |
| US | 172.67.188.178:443 | iplogger.com | tcp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| US | 8.8.8.8:53 | a912424b-6149-45a7-bac9-5464d651c4d0.uuid.theupdatetime.org | udp |
| FR | 185.93.2.244:80 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.145:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | server3.theupdatetime.org | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 15.197.250.192:3478 | stun.sipgate.net | udp |
| BG | 185.82.216.108:443 | server3.theupdatetime.org | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| BG | 185.82.216.108:443 | server3.theupdatetime.org | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| BG | 185.82.216.108:443 | server3.theupdatetime.org | tcp |
Files
memory/2220-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp
memory/2220-1-0x0000000000E70000-0x0000000000E7A000-memory.dmp
memory/2220-2-0x00000000005B0000-0x000000000060E000-memory.dmp
memory/2220-3-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2572-8-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2572-10-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2572-19-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-20-0x0000000002E20000-0x0000000002EA0000-memory.dmp
memory/2572-18-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2572-17-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2572-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2572-14-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2572-12-0x0000000000400000-0x0000000000408000-memory.dmp
memory/2580-21-0x000000001B770000-0x000000001BA52000-memory.dmp
memory/2580-22-0x0000000000670000-0x0000000000678000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab34D8.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar34DB.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\Tar35BE.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff46b0a6ae88e75f6220ab981e3e0e8a |
| SHA1 | 61110724609ce2e68fc7fdb63a889e55b3d81ed1 |
| SHA256 | 36bcc0113b6493f4a9eda8f8eac14437a120d310179f66a7ef2d25195dfd5ba4 |
| SHA512 | b1ddfc9a138f04ce549801fb1d4a8e21a8627786ca2117db3eed8f95c8306d9c17992d817f4caaf38eaa48db10688c98db158878e888d77635215fc54175257d |
C:\Users\Admin\AppData\Local\Temp\Cab35A9.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe
| MD5 | 8ff1083b2490429a4ea0ecf8f5542c8c |
| SHA1 | 70ebf9b87666aab4db253e98e845ea440602a4cc |
| SHA256 | e43535ac108378521826695ae572ea24b4cde1a78b0016d3b5ebe82ff5934535 |
| SHA512 | c2f4d386f0b46ed9ed0716e3df086afb3ed360ea3afb74cb3dc0369311088332ae037269575722d5f60a12be9a242f505d32440ed294ad5170ec315c588b3c5c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfa271adab7bfab7729be3a701604bcb |
| SHA1 | fd5050423dd4eac8aa034ae9dca81a4e27b0a4bc |
| SHA256 | 2e1b42b7ce399a5418e642bff79e06a9a2e949e7c11f10a0aca310e2931e829e |
| SHA512 | 903e6221a3a81f9a57c4194c5e192f04867cfa626094a2de31c6d5cbd25a31d408446dc3af006bb227a7462b591a69e6d098cd27e3cb093efd426f23eb562724 |
C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe
| MD5 | d41fd1ea6e0ca0032be2174317f60fd8 |
| SHA1 | 60f001b9d201259aa333e9b202e4ab5648d16bf3 |
| SHA256 | 3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990 |
| SHA512 | a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e |
memory/2572-234-0x00000000099F0000-0x000000000A36B000-memory.dmp
C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe
| MD5 | b4edadf4b8fc4c176cef6830ab7d3177 |
| SHA1 | 6f93a98295f5b4a514870db5c50d000f3d644264 |
| SHA256 | 241ec7b24544cef6c5762622c25c91621f0dd20c9154dcf20c83932d2c3496e5 |
| SHA512 | dc727e1cbe252fdfbc866ac4dad3d256038535b32d437d8d17e537c8723b1b8f51da6e0de4a7ac53295cf091fcf93591907f1bd2487618c542bc96e8616232dc |
memory/1824-250-0x0000000002FB0000-0x00000000033A8000-memory.dmp
memory/2204-253-0x0000000003150000-0x0000000003548000-memory.dmp
memory/856-252-0x0000000140000000-0x000000014097B000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe
| MD5 | 34e8369309638e9468c65df8d546e9ec |
| SHA1 | f6296bdb66b9f188a9093d0f2e3edaf3dfd5ed9f |
| SHA256 | bc09d4cc90b0e7b582c6ed7010277377aff00042d7469cb2e9f11f775cef4605 |
| SHA512 | b792981f6e855fcab23dbb078f5aa2398c6c4175b4b151a656174b756de936bc388d2fa2c8432a9b9120256e5db9ebbfca38a12d60bc085f744988ef1a726c48 |
memory/980-276-0x0000000003050000-0x0000000003448000-memory.dmp
memory/2484-284-0x0000000003440000-0x0000000003838000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
| MD5 | a33065159222d4c22e581ea419285701 |
| SHA1 | 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354 |
| SHA256 | ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2 |
| SHA512 | 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79 |
memory/2192-308-0x0000000003170000-0x0000000003568000-memory.dmp
memory/1972-312-0x00000000032E0000-0x00000000036D8000-memory.dmp
memory/1964-313-0x00000000030E0000-0x00000000034D8000-memory.dmp
memory/2680-314-0x0000000003150000-0x0000000003548000-memory.dmp
memory/2140-316-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\Users\Admin\AppData\Local\Temp\u26o.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/2484-331-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/2832-355-0x0000000000400000-0x0000000002B1E000-memory.dmp
memory/980-315-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/1824-334-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/2204-356-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/2220-369-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp
memory/2192-401-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/2276-402-0x0000000003070000-0x0000000003468000-memory.dmp
memory/1972-414-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/2680-422-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/1964-423-0x0000000000400000-0x0000000002ED5000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 1538d8892608632e9aade661741772fb |
| SHA1 | 9b49faf2cb23c18015d1f617ec0b63b9b1f5add2 |
| SHA256 | 4fa4e24553f12416e69aff86a4cd3bf4d278967660fd137bca9d4543ff939264 |
| SHA512 | 5521170938be681b2eda9597de875d79936e39bb40744b3ad09b9bff1c00f8b4807d98f58bb4e3d7e70091415a712468001e3225554bcbb8807e360931f1383e |
memory/856-444-0x0000000140000000-0x000000014097B000-memory.dmp
memory/2220-445-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp
memory/2140-446-0x0000000000400000-0x0000000002AF1000-memory.dmp
memory/908-458-0x0000000000400000-0x00000000008AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/2572-469-0x00000000099F0000-0x000000000A36B000-memory.dmp
memory/1916-470-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/1916-484-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2276-486-0x0000000000400000-0x0000000002ED5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | b0536d63a073ee6a60e9000308a9d61c |
| SHA1 | 1353e69e21057cfcf276d11dbc6b314bac327ec8 |
| SHA256 | 6d1bd49c759595543939da5dfd6d7c790cb6696eda23adb1f8d04b50b1edcd57 |
| SHA512 | 0f3fcee992c589349d777baca2362a8ebb63bb97b6009ea292121fdd317ca9b438032eba37ae9b57358afa7aefecc32fb3f61fe907e0d7325cc072b0890049e7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6188e5f5a0d79882e53f2944906cefe |
| SHA1 | 52991cc93010de70d126e86ecf55198b94753d8c |
| SHA256 | a3868fc8f6842dc3772956b160e1b0d95cae507122548d2ca572c58ab067ddaa |
| SHA512 | 85761e5014acb8f3d7ee9c82f933f00beabc1b513353a3aa4652c823b5f9cb1eab5aceeb8833c510f0460bf80acb9e824d4628be0ce50a3343c4e5dbd670034e |
memory/908-510-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/1984-550-0x0000000000CD0000-0x0000000004504000-memory.dmp
memory/1984-551-0x000000001EC70000-0x000000001ED7A000-memory.dmp
memory/1984-553-0x0000000000CC0000-0x0000000000CCC000-memory.dmp
memory/1984-552-0x00000000005E0000-0x00000000005F0000-memory.dmp
memory/1984-554-0x0000000000CB0000-0x0000000000CC4000-memory.dmp
memory/1984-555-0x000000001DEF0000-0x000000001DF14000-memory.dmp
memory/1984-565-0x0000000140000000-0x000000014097B000-memory.dmp
memory/1984-567-0x0000000000B00000-0x0000000000B0A000-memory.dmp
memory/1984-566-0x0000000140000000-0x000000014097B000-memory.dmp
memory/1984-569-0x000000001F350000-0x000000001F402000-memory.dmp
memory/1984-568-0x000000001E4B0000-0x000000001E4DA000-memory.dmp
memory/1984-570-0x0000000000B10000-0x0000000000B1A000-memory.dmp
memory/1984-574-0x000000001FB40000-0x000000001FE40000-memory.dmp
memory/1984-576-0x0000000005960000-0x000000000596A000-memory.dmp
memory/1984-578-0x000000001F400000-0x000000001F462000-memory.dmp
memory/1984-579-0x000000001E930000-0x000000001E952000-memory.dmp
memory/1984-577-0x000000001E500000-0x000000001E50A000-memory.dmp
memory/1984-582-0x000000001E950000-0x000000001E95C000-memory.dmp
memory/1984-590-0x0000000140000000-0x000000014097B000-memory.dmp
memory/1984-591-0x0000000140000000-0x000000014097B000-memory.dmp
memory/2276-589-0x0000000000400000-0x0000000002ED5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\252e99e709753c2ab04b66e213ab7d72cfdb494a7016e07d23bc17fe7cebab94\767515fedb084df6a70a6b87b7ef68a7.tmp
| MD5 | fb67c495e466208562de27817cba1991 |
| SHA1 | d922da25589139f1c4af90dbcbac5c820e017543 |
| SHA256 | e2cef965cbe53b68e11caaee6ad00e4862fa6cc6069cee5b1f5d1014ad02bc53 |
| SHA512 | 90f2a174a49cb4e98e87b33b76f9557597d4036eec9794af811599b12f3047cc52d29d9f64b4ba47e49dee51ffc163061be581c74104a2f6c74a214d1ffebae8 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
memory/2276-623-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/1184-632-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/648-633-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/1184-635-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2276-636-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/648-638-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2276-640-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/2276-643-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/648-650-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2276-651-0x0000000000400000-0x0000000002ED5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 04:05
Reported
2024-05-10 04:07
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
143s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
PrivateLoader
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XSL75Dp8X5GvcCSscAgMff6t.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hCJWlBKjXo5Oob92l9foUS1J.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tLX6e4KApytTPZefSa8PPI7v.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqbWpY8aUPcYDuPjF1g7pqRG.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ga59klDFaLgG33dY8jiOzth2.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2X5ZHEh06YcWQbzIqdRD9re3.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xch3oM5lwdWLIvzlicgaJnAa.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50SLWprzYHmxenwhmKGlIhTj.bat | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe | N/A |
| N/A | N/A | C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 716 set thread context of 4332 | N/A | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe
"C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe" -Force
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe
"C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe"
C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
"C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe"
C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
"C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe"
C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe
"C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe"
C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe
"C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe"
C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe
"C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe
"C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe
"C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe"
C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe
"C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe"
C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
"C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe"
C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
"C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe"
C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe
"C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe
"C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe"
C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4240 -ip 4240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 356
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 392 -ip 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2008
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | yip.su | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 172.67.169.89:443 | yip.su | tcp |
| US | 8.8.8.8:53 | realdeepai.org | udp |
| RU | 5.42.96.64:80 | 5.42.96.64 | tcp |
| RU | 193.233.132.234:80 | tcp | |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | avgmc.xyz | udp |
| US | 8.8.8.8:53 | onlycitylink.com | udp |
| RU | 193.233.132.234:80 | tcp | |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.90.14:443 | realdeepai.org | tcp |
| US | 104.21.18.166:443 | onlycitylink.com | tcp |
| US | 104.21.18.166:443 | onlycitylink.com | tcp |
| RU | 84.38.181.36:443 | avgmc.xyz | tcp |
| US | 8.8.8.8:53 | jonathantwo.com | udp |
| US | 8.8.8.8:53 | firstfirecar.com | udp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.176.131:443 | jonathantwo.com | tcp |
| US | 172.67.193.220:443 | firstfirecar.com | tcp |
| US | 172.67.193.220:443 | firstfirecar.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.169.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.90.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.96.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.181.38.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.18.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.176.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.193.67.172.in-addr.arpa | udp |
| RU | 5.42.66.10:80 | 5.42.66.10 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 10.66.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| DE | 185.172.128.59:80 | 185.172.128.59 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.228:80 | 185.172.128.228 | tcp |
| US | 8.8.8.8:53 | svc.iolo.com | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | 45.87.157.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download.iolo.net | udp |
| FR | 143.244.56.49:443 | download.iolo.net | tcp |
| US | 8.8.8.8:53 | 49.56.244.143.in-addr.arpa | udp |
| US | 20.157.87.45:80 | svc.iolo.com | tcp |
| US | 8.8.8.8:53 | westus2-2.in.applicationinsights.azure.com | udp |
| US | 20.9.155.148:443 | westus2-2.in.applicationinsights.azure.com | tcp |
| US | 8.8.8.8:53 | 148.155.9.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 185.172.128.150:80 | 185.172.128.150 | tcp |
| US | 8.8.8.8:53 | 150.128.172.185.in-addr.arpa | udp |
Files
memory/716-0-0x00007FFCC05B3000-0x00007FFCC05B5000-memory.dmp
memory/716-1-0x000001F0A75A0000-0x000001F0A75AA000-memory.dmp
memory/716-2-0x000001F0C19C0000-0x000001F0C1A1E000-memory.dmp
memory/716-3-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp
memory/4332-4-0x0000000000400000-0x0000000000408000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjmbdxdt.onr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3436-5-0x000001F4B48D0000-0x000001F4B48F2000-memory.dmp
memory/3436-15-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp
memory/3436-16-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp
memory/3436-17-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp
memory/3436-20-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp
memory/716-21-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp
C:\Users\Admin\Pictures\Ck5ne28mgyQKG6rKTaldVLnh.exe
| MD5 | 77f762f953163d7639dff697104e1470 |
| SHA1 | ade9fff9ffc2d587d50c636c28e4cd8dd99548d3 |
| SHA256 | d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea |
| SHA512 | d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499 |
C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe
| MD5 | 8ff1083b2490429a4ea0ecf8f5542c8c |
| SHA1 | 70ebf9b87666aab4db253e98e845ea440602a4cc |
| SHA256 | e43535ac108378521826695ae572ea24b4cde1a78b0016d3b5ebe82ff5934535 |
| SHA512 | c2f4d386f0b46ed9ed0716e3df086afb3ed360ea3afb74cb3dc0369311088332ae037269575722d5f60a12be9a242f505d32440ed294ad5170ec315c588b3c5c |
C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
| MD5 | 34e8369309638e9468c65df8d546e9ec |
| SHA1 | f6296bdb66b9f188a9093d0f2e3edaf3dfd5ed9f |
| SHA256 | bc09d4cc90b0e7b582c6ed7010277377aff00042d7469cb2e9f11f775cef4605 |
| SHA512 | b792981f6e855fcab23dbb078f5aa2398c6c4175b4b151a656174b756de936bc388d2fa2c8432a9b9120256e5db9ebbfca38a12d60bc085f744988ef1a726c48 |
C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
| MD5 | b4edadf4b8fc4c176cef6830ab7d3177 |
| SHA1 | 6f93a98295f5b4a514870db5c50d000f3d644264 |
| SHA256 | 241ec7b24544cef6c5762622c25c91621f0dd20c9154dcf20c83932d2c3496e5 |
| SHA512 | dc727e1cbe252fdfbc866ac4dad3d256038535b32d437d8d17e537c8723b1b8f51da6e0de4a7ac53295cf091fcf93591907f1bd2487618c542bc96e8616232dc |
C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe
| MD5 | d41fd1ea6e0ca0032be2174317f60fd8 |
| SHA1 | 60f001b9d201259aa333e9b202e4ab5648d16bf3 |
| SHA256 | 3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990 |
| SHA512 | a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e |
memory/1140-115-0x0000000140000000-0x000000014097B000-memory.dmp
C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe
| MD5 | 6b605b6ca55b36b604074259dc4900cd |
| SHA1 | 34c783dd19894549b7c5acc4510e273833ed7e87 |
| SHA256 | e87f2fecb67fc73a90a1970615f0001bd762af53782ca23f4ab7f99e8c5164d0 |
| SHA512 | ed9ae702d705d7129da7f424fbd0f42b74938041dd30f7d3c6f0b976cb1e42afe14029306c21b35f32293f9354902119b491e2acc4abed2a2a3dd668d82d4f3c |
memory/1140-137-0x0000000140000000-0x000000014097B000-memory.dmp
memory/2924-141-0x0000000002790000-0x00000000027C6000-memory.dmp
memory/228-142-0x00000000056D0000-0x0000000005CF8000-memory.dmp
memory/228-143-0x00000000053E0000-0x0000000005402000-memory.dmp
memory/228-144-0x0000000005580000-0x00000000055E6000-memory.dmp
memory/228-145-0x0000000005E70000-0x0000000005ED6000-memory.dmp
memory/228-164-0x0000000005EE0000-0x0000000006234000-memory.dmp
memory/228-166-0x00000000064B0000-0x00000000064CE000-memory.dmp
memory/228-167-0x0000000006A90000-0x0000000006ADC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe
| MD5 | a33065159222d4c22e581ea419285701 |
| SHA1 | 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354 |
| SHA256 | ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2 |
| SHA512 | 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79 |
memory/228-179-0x0000000007680000-0x00000000076C4000-memory.dmp
memory/228-189-0x00000000077D0000-0x0000000007846000-memory.dmp
memory/228-190-0x0000000007ED0000-0x000000000854A000-memory.dmp
memory/228-191-0x0000000007870000-0x000000000788A000-memory.dmp
memory/228-193-0x0000000070380000-0x00000000703CC000-memory.dmp
memory/228-194-0x000000006FFF0000-0x0000000070344000-memory.dmp
memory/228-192-0x0000000007A10000-0x0000000007A42000-memory.dmp
memory/228-205-0x0000000007A70000-0x0000000007B13000-memory.dmp
memory/2924-206-0x0000000070380000-0x00000000703CC000-memory.dmp
memory/2924-207-0x000000006FFF0000-0x0000000070344000-memory.dmp
memory/228-204-0x0000000007A50000-0x0000000007A6E000-memory.dmp
memory/2924-217-0x00000000074D0000-0x00000000074DA000-memory.dmp
memory/2924-218-0x0000000007590000-0x0000000007626000-memory.dmp
memory/2924-219-0x00000000074F0000-0x0000000007501000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe
| MD5 | 397926927bca55be4a77839b1c44de6e |
| SHA1 | e10f3434ef3021c399dbba047832f02b3c898dbd |
| SHA256 | 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7 |
| SHA512 | cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954 |
memory/3652-234-0x0000000070380000-0x00000000703CC000-memory.dmp
memory/3652-235-0x000000006FFF0000-0x0000000070344000-memory.dmp
memory/228-246-0x0000000007BD0000-0x0000000007BDE000-memory.dmp
memory/228-247-0x0000000007BE0000-0x0000000007BF4000-memory.dmp
memory/228-248-0x0000000007CD0000-0x0000000007CEA000-memory.dmp
memory/228-249-0x0000000007C10000-0x0000000007C18000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | a6ea7bfcd3aac150c0caef765cb52281 |
| SHA1 | 037dc22c46a0eb0b9ad4c74088129e387cffe96b |
| SHA256 | f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9 |
| SHA512 | c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 46a4f71e5629582262e5f05e655db5c9 |
| SHA1 | 4879a9089582e792416a3acec38873ac7051b6da |
| SHA256 | 673d9ce3dc01edcae12b4086ae15d6bfe0387248fc2dc02ce8faff4c20a666d6 |
| SHA512 | 70a54fe357627c1342dcee851e37cebe3c8af94c858391a22db212da66801ba0b4627c7edc0a9d3bed66bd16440afe0adb0a0f3e9b426bd0e7bd16719f50c6fc |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c68f749c595bf5c0ad71f7604c7b0cdb |
| SHA1 | 18dd0f6de70826f5c49c82792bb8ac9b28fb6f32 |
| SHA256 | 60751e4bed7352036d20ecc7938098fec4775822de4033211b2aa452cadd5a43 |
| SHA512 | fd2880d78e8b905310d2ba8075ba791fd31b0443221664a760d95a5ef8b83f0b75f06091e535313ce3f306bb9ac4bfd2d676ccda5530e0d15164b3df7a2bdd74 |
memory/1428-276-0x00000000057D0000-0x0000000005B24000-memory.dmp
memory/3172-278-0x0000000000400000-0x0000000002B1E000-memory.dmp
memory/2240-279-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/244-280-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/3936-282-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/1224-281-0x0000000000400000-0x0000000002ED5000-memory.dmp
memory/1428-285-0x000000006FEA0000-0x00000000701F4000-memory.dmp
memory/1428-284-0x0000000070380000-0x00000000703CC000-memory.dmp
memory/1224-298-0x0000000000400000-0x0000000002ED5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | a4db32123183147315cead49e5dc7e50 |
| SHA1 | 82ec33edbfe8991f3bff76015f18122cbb2a8dbe |
| SHA256 | 01f95fb835e593bb0ba455e11495b38879b0cf5425357386986aa8351373995e |
| SHA512 | 4106a2551ed5268867110e6ecc2b32f7ca21ea5463c7954fc2ffcdfd915702f310534975c77dcf7c5d09817d07fb1c8ac7cf1db9ec82968df9051b8d09383e59 |
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt
| MD5 | 0e4cb70ab5a08154c9b41f1d2a9f47ed |
| SHA1 | 3dabc6decfd17b43882a309f0282406319dfae14 |
| SHA256 | 7fd93184220879869ac10380d0d0bd8892586491cae5c94957651e9dde0e3d0a |
| SHA512 | 3f77f89d65acf37081dcf1c8c31f0c65851456233bbfe613aa35feccfa36179b4375686f25ad27804e5ec78e9a062e9b48e7cbc6c9c3c7df25bcf8ae96c82684 |
memory/3012-330-0x0000000000400000-0x00000000008AD000-memory.dmp
memory/4520-332-0x000002735F9E0000-0x0000027363214000-memory.dmp
memory/4520-336-0x0000027365050000-0x0000027365064000-memory.dmp
memory/4520-337-0x000002737D9A0000-0x000002737D9C4000-memory.dmp
memory/4520-335-0x0000027365060000-0x000002736506C000-memory.dmp
memory/4520-334-0x0000027363640000-0x0000027363650000-memory.dmp
memory/4520-333-0x000002737DBF0000-0x000002737DCFA000-memory.dmp
memory/4520-339-0x0000027365030000-0x000002736503A000-memory.dmp
memory/4520-340-0x000002737DB10000-0x000002737DBC2000-memory.dmp
memory/4520-342-0x000002737DEC0000-0x000002737DF10000-memory.dmp
memory/4520-341-0x000002737DE40000-0x000002737DE6A000-memory.dmp
memory/4520-343-0x0000027365040000-0x000002736504A000-memory.dmp
memory/4520-347-0x000002737DF10000-0x000002737E210000-memory.dmp
memory/4520-349-0x000002737FB60000-0x000002737FB68000-memory.dmp
memory/4520-352-0x000002737FB80000-0x000002737FB88000-memory.dmp
memory/4520-351-0x000002737FB70000-0x000002737FB7E000-memory.dmp
memory/4520-350-0x000002737FE50000-0x000002737FE88000-memory.dmp
memory/4520-355-0x0000027303600000-0x0000027303622000-memory.dmp
memory/4520-354-0x00000273035A0000-0x0000027303602000-memory.dmp
memory/4520-353-0x0000027303580000-0x000002730358A000-memory.dmp
memory/4520-356-0x0000027303B50000-0x0000027304078000-memory.dmp
memory/4520-359-0x0000027303300000-0x000002730330C000-memory.dmp
memory/4520-360-0x000002737FF10000-0x000002737FF86000-memory.dmp
memory/4520-361-0x000002737E230000-0x000002737E24E000-memory.dmp
memory/4520-368-0x0000027363660000-0x00000273636FA000-memory.dmp
memory/4240-369-0x0000000000400000-0x0000000002AF2000-memory.dmp
memory/3864-410-0x0000000005950000-0x0000000005CA4000-memory.dmp
memory/3864-411-0x0000000006320000-0x000000000636C000-memory.dmp
memory/392-412-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3864-451-0x000000006F8E0000-0x000000006F92C000-memory.dmp
memory/3864-462-0x0000000006DC0000-0x0000000006E63000-memory.dmp
memory/3864-452-0x000000006F930000-0x000000006FC84000-memory.dmp
memory/3864-475-0x00000000072A0000-0x00000000072B1000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/3864-495-0x00000000072F0000-0x0000000007304000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/2992-515-0x000000006F8E0000-0x000000006F92C000-memory.dmp
memory/2992-516-0x000000006F930000-0x000000006FC84000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 62413e2f215769b4ac2949e5199f26ab |
| SHA1 | a9a2fce39fae107a0024433c180b60e6626e0f17 |
| SHA256 | be425c1030f2a70de4f59b8481e292110a73e7326640b0a69bc47e86a75e3983 |
| SHA512 | 4ecbe548db9fd63bde2771ec6b72ec3d8455e661763666611921764590eb5d02c910cac98df1554600620178f235302e438cbcdf01bf6bcf8b7e4088fc3ce6f5 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
memory/1120-537-0x0000000006250000-0x00000000065A4000-memory.dmp
memory/1120-543-0x0000000006EC0000-0x0000000006F0C000-memory.dmp
memory/1120-554-0x000000006FED0000-0x000000006FF1C000-memory.dmp
memory/1120-555-0x0000000070070000-0x00000000703C4000-memory.dmp
memory/1120-565-0x0000000007B90000-0x0000000007C33000-memory.dmp
memory/1120-566-0x0000000006700000-0x0000000006711000-memory.dmp
memory/864-567-0x000000006FED0000-0x000000006FF1C000-memory.dmp
memory/864-568-0x0000000070070000-0x00000000703C4000-memory.dmp
memory/1120-578-0x0000000006740000-0x0000000006754000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b3f201f681dcef7b67772facc4f4c55b |
| SHA1 | ec5bfebd3123c092c2f6b3572c094518e9766bae |
| SHA256 | f63f89c74b2bfb5b779b60767894ea904e2fc1c73d624807f5929d793e042710 |
| SHA512 | b9b395fb56a50815063b2b68f655ec695e8f148ba8abd188668ba723ba5ccb81f505d87b4b29cd30aca39bdf971bc5e34a6ddef1ce1acf97a8f2a05c05ed65d5 |
memory/2896-611-0x0000000070070000-0x00000000703C4000-memory.dmp
memory/2896-610-0x000000006FED0000-0x000000006FF1C000-memory.dmp