Malware Analysis Report

2025-08-11 06:21

Sample ID 240527-rh1wmsgc52
Target 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe
SHA256 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a
Tags
persistence spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a

Threat Level: Known bad

The file 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe was found to be: Known bad.

Malicious Activity Summary

persistence spyware stealer

Modifies WinLogon for persistence

Process spawned unexpected child process

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 14:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 14:12

Reported

2024-05-27 14:14

Platform

win7-20240508-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppPatch\\fr-FR\\csrss.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\Idle.exe\", \"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppPatch\\fr-FR\\csrss.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\Idle.exe\", \"C:\\Users\\Default User\\csrss.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppPatch\\fr-FR\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppPatch\\fr-FR\\csrss.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\AppPatch\\fr-FR\\csrss.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\spoolsv.exe\", \"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppPatch\\fr-FR\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\spoolsv.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\AppPatch\\fr-FR\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Recovery\\96702242-0d98-11ef-bfa8-5aba25856535\\Idle.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Default User\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\hccjfr.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\CSCC5A5918A6661467091E1B034B188881D.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\Office14\1033\explorer.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\7a0fd90576e088 C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\AppPatch\fr-FR\csrss.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Windows\AppPatch\fr-FR\886983d96e3d3e C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Windows\AppPatch\fr-FR\csrss.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Token: SeDebugPrivilege N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1244 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1244 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1244 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 2620 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2620 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 2620 wrote to memory of 2592 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1244 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\System32\cmd.exe
PID 1244 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\System32\cmd.exe
PID 2348 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2348 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2348 wrote to memory of 2764 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2348 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2348 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2348 wrote to memory of 2756 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2348 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 2348 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe
PID 2348 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe

"C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\fr-FR\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppPatch\fr-FR\csrss.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bxgxxmbu\bxgxxmbu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES251D.tmp" "c:\Windows\System32\CSCC5A5918A6661467091E1B034B188881D.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2jOVRNz9g.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe

"C:\Recovery\96702242-0d98-11ef-bfa8-5aba25856535\Idle.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 expectum.top udp
US 104.21.56.224:80 expectum.top tcp
US 104.21.56.224:80 expectum.top tcp

Files

memory/1244-0-0x000007FEF6093000-0x000007FEF6094000-memory.dmp

memory/1244-1-0x0000000001110000-0x000000000131A000-memory.dmp

memory/1244-2-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-3-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-4-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-6-0x0000000000310000-0x000000000031E000-memory.dmp

memory/1244-8-0x0000000000340000-0x000000000035C000-memory.dmp

memory/1244-11-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-10-0x0000000000360000-0x0000000000378000-memory.dmp

memory/1244-22-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-21-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-20-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-19-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-18-0x00000000003A0000-0x00000000003B2000-memory.dmp

memory/1244-16-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

memory/1244-15-0x0000000000330000-0x000000000033C000-memory.dmp

memory/1244-13-0x0000000000320000-0x000000000032E000-memory.dmp

memory/1244-24-0x0000000000380000-0x000000000038E000-memory.dmp

memory/1244-26-0x0000000000390000-0x000000000039C000-memory.dmp

C:\Program Files\Microsoft Office\Office14\1033\explorer.exe

MD5 20d1a291ba22e0d37ba1c9ef7c4f2a8e
SHA1 977deb9b18a8599aac68cfd86fd95219a54fc8c4
SHA256 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a
SHA512 662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42

\??\c:\Users\Admin\AppData\Local\Temp\bxgxxmbu\bxgxxmbu.cmdline

MD5 c6b800b26f107488b8d146acb065fb19
SHA1 d51c40e021dc035487da89306745f764c85d2839
SHA256 55283da17fde8558e5e45a4703a336e3b56b6a1b471cd1105f00fcfb204d849e
SHA512 f583dc41239f6a5aad2630cc9ab3295a343d2a977bf6f3c528d54a0baf990d8e4ee839de617b68268a265ac428f63e0b8b57843303d3dd9fcbe37e423afd14e6

\??\c:\Users\Admin\AppData\Local\Temp\bxgxxmbu\bxgxxmbu.0.cs

MD5 b9f4990c2e8d3609b2f2df9ff81d7b09
SHA1 d83a54fe9369e4057b15907bf0ca60d4079807b9
SHA256 2011d42e0eedfd93cbb929fc221231e63620df7de1c77367d1d751fa640daac2
SHA512 93915f49e17dc1f5f66c9ecb485846b61ab14cefc279d1540117c5dbe503a55923d78fcc003b5779bc79f5559b5138bf1fa5de9fe5f31b485660092257904cf8

\??\c:\Windows\System32\CSCC5A5918A6661467091E1B034B188881D.TMP

MD5 707f3ae17d1443518c14e3d57f6b0fa5
SHA1 78ac15700b932222fa2ce60142966a1716c90838
SHA256 1fafc870513c7e90d1f2569dd473478821fb4798e8eb51e1f8a1620b3bf29aea
SHA512 ac3805f209da253c7eb6758d472a7c6a084392594a4dd7389dc926181933f9333fa0a74d7f749bc7ecb0b901afa5cad91d64d62989122acd3f4b583c3a4e2c9f

C:\Users\Admin\AppData\Local\Temp\RES251D.tmp

MD5 3a156091a0ffc2281285ccdc06bbcf34
SHA1 a209b338825a99ea460cb45837181081f7242351
SHA256 8d9db717316096aaa67a834ebcf54c69f3a271252e1b884dd4fb68ccdac2aa81
SHA512 9e340653996193ca0356bbec25200a16aede5660c2f49f5fa1ea76394772bf200c0004d46838393fa013d42e5e39db7af805480030f96f7182920f720ce1155a

memory/1244-53-0x000007FEF6090000-0x000007FEF6A7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\S2jOVRNz9g.bat

MD5 baf407747e823a53d559b9615e73593d
SHA1 c497fd07b8b613d7b94d9332dc8c4169b617a095
SHA256 c25bf4efe912930e004c0d0fa4bef9b81bb5627efdf23b30a6c33a066c9dec94
SHA512 9c1c4dd5967411e6f3b111d65bc889675c40c9b6c26f71eaea2570008988e8876a84fb1f78285d5baec3b881a2f15289a63cc8dd6e77c96ed0608764d0ff1750

memory/808-57-0x00000000013C0000-0x00000000015CA000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 14:12

Reported

2024-05-27 14:14

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\", \"C:\\Windows\\L2Schemas\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\", \"C:\\Windows\\L2Schemas\\upfc.exe\", \"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\", \"C:\\Windows\\L2Schemas\\upfc.exe\", \"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\", \"C:\\Program Files\\dotnet\\host\\fxr\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\L2Schemas\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\host\\fxr\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\upfc = "\"C:\\Windows\\L2Schemas\\upfc.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\Offline Web Pages\\RuntimeBroker.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\dotnet\\host\\fxr\\smss.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BackgroundTransferHost = "\"C:\\Program Files\\Windows Media Player\\ja-JP\\BackgroundTransferHost.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\SearchApp.exe\"" C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created \??\c:\Windows\System32\CSC3FA59D6F4674283A142CBCBDF86EAD8.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\cjmmco.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\host\fxr\smss.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Program Files\dotnet\host\fxr\69ddcba757bf72 C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File opened for modification C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Program Files\Windows Media Player\ja-JP\766532ba8a13d2 C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\38384e6a620884 C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\9e8d7a4ca61bd9 C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Windows\L2Schemas\upfc.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Windows\L2Schemas\ea1d8f6d871115 C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
File created C:\Windows\Offline Web Pages\RuntimeBroker.exe C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 1512 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
PID 4188 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4188 wrote to memory of 5012 N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 1512 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe C:\Windows\System32\cmd.exe
PID 4516 wrote to memory of 212 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4516 wrote to memory of 212 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4516 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4516 wrote to memory of 5108 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 4516 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe
PID 4516 wrote to memory of 2504 N/A C:\Windows\System32\cmd.exe C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe

"C:\Users\Admin\AppData\Local\Temp\7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BackgroundTransferHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BackgroundTransferHostB" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\ja-JP\BackgroundTransferHost.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtbqvaux\gtbqvaux.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E32.tmp" "c:\Windows\System32\CSC3FA59D6F4674283A142CBCBDF86EAD8.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\upfc.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Windows\L2Schemas\upfc.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\dotnet\host\fxr\smss.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bFI9bmS0b9.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\SearchApp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 expectum.top udp
US 172.67.156.35:80 expectum.top tcp
US 172.67.156.35:80 expectum.top tcp
US 8.8.8.8:53 35.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 24.173.189.20.in-addr.arpa udp

Files

memory/1512-0-0x00000000007E0000-0x00000000009EA000-memory.dmp

memory/1512-1-0x00007FFFBA0C3000-0x00007FFFBA0C5000-memory.dmp

memory/1512-2-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-3-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-4-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-6-0x0000000002AB0000-0x0000000002ABE000-memory.dmp

memory/1512-8-0x0000000002C40000-0x0000000002C5C000-memory.dmp

memory/1512-10-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-9-0x000000001B920000-0x000000001B970000-memory.dmp

memory/1512-12-0x0000000002C60000-0x0000000002C78000-memory.dmp

memory/1512-17-0x0000000002C20000-0x0000000002C2C000-memory.dmp

memory/1512-15-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-21-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-20-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-19-0x000000001B580000-0x000000001B592000-memory.dmp

memory/1512-14-0x0000000002AC0000-0x0000000002ACE000-memory.dmp

memory/1512-22-0x000000001BEA0000-0x000000001C3C8000-memory.dmp

memory/1512-27-0x0000000002C80000-0x0000000002C8C000-memory.dmp

memory/1512-28-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-25-0x0000000002C30000-0x0000000002C3E000-memory.dmp

memory/1512-23-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-29-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

C:\Program Files\dotnet\host\fxr\smss.exe

MD5 20d1a291ba22e0d37ba1c9ef7c4f2a8e
SHA1 977deb9b18a8599aac68cfd86fd95219a54fc8c4
SHA256 7e052903db8c20022280f156834b9af172c7877b7253104562f77d61f8c3de6a
SHA512 662369dcf70c1abe0142a139f950df672d62b3dbda910a804b6ef6a76280fa543aba4d1a9e52bea1584cdc0c674110b7a11fb0948be82e27c77e92b465f16d42

memory/1512-40-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

memory/1512-41-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\gtbqvaux\gtbqvaux.cmdline

MD5 43eaf735f8ad2557325442ae4f32bd76
SHA1 1ca98fe954036deb5bfbee9ef3e949373be16b47
SHA256 08f4b0687cc37ae031bad573ced77070e3f5d3290e4cb8ef8e5d634d19f3fdff
SHA512 1988a8d5781242e5d03b94c032b509a05447cfda95b9688a42903122558596fe8bd4d9449fa4d080622f484177413f551aa09507c2909f26309df23e6967f3b9

\??\c:\Users\Admin\AppData\Local\Temp\gtbqvaux\gtbqvaux.0.cs

MD5 98e4ad8f3f577e69a7ec66e82dce6472
SHA1 cd7272b0ce9af065055f834823c4af1808d00116
SHA256 a37d681ac80bb09e54efc8f588904ed5db91e13fe3ed7b9e0ecea2bdad32bc2c
SHA512 824b14647297a12ba1013a228079662e9ea3f430c42f179510b0403c75971563ca706a3aba0c8ccde5dd3768954674d5f2df90a2ce7f19bd6407a946e54d9e83

C:\Users\Admin\AppData\Local\Temp\RES3E32.tmp

MD5 d111cefaa2e132a433bd265310351148
SHA1 397af57e8ac90f89dca5f4a1cee7f0689f3fdbdf
SHA256 1386452aa5b8ce6f5501988b6d7308d49d135d8d7c873a0c614b914df70b409f
SHA512 a717006e2e55fed38d9684bd911c74ca1c0a8bc8b920d6c5e13b42e7236fd62cbfe2b68b5fc07de09ffcfa3ba73d76f0bfc8cf9395b16f6f66edbb1ed4e883bf

memory/1512-57-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

\??\c:\Windows\System32\CSC3FA59D6F4674283A142CBCBDF86EAD8.TMP

MD5 0e0a242f8f023c943e845e3326f7e233
SHA1 0e271c02e32fa6b6b4b0b27c8cdc4e4afb5b2d78
SHA256 31740b218505867f934d13c16295f7c1a57045d8e4c0079799b9caa067b2411c
SHA512 b7528fd87e6964e8e7c2743dca777d9f905750eaab7ef2683cb49e5b3b42cdce20736fce312856117af968a9c24e8cfee05f453cdbfa3cc12136dbb4a34d71db

memory/1512-60-0x000000001BDB0000-0x000000001BE59000-memory.dmp

memory/1512-61-0x00007FFFBA0C0000-0x00007FFFBAB81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bFI9bmS0b9.bat

MD5 047eaea9b53b2712d0f1c81fd2b29ab1
SHA1 d201aa817091945e49ee6473aa189fa1dd4b94ae
SHA256 46f27e9670b1a09f5f65d7128ceb7dfc7e1ae2f7c959ec21a3e7ad2dfe70d449
SHA512 9f7545228e206ae0bd8ee50e3cce603583daba3b0e59f07e94975ce2e1a9fd4e01c333c7d309c96b2c136a587a1cd08c3e46325bd3c706f748e86c964c72e8d2

memory/2504-74-0x000000001BFA0000-0x000000001C049000-memory.dmp