Analysis Overview
SHA256
406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3
Threat Level: Known bad
The file 406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3 was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
RedLine payload
Glupteba
Amadey
RedLine
SmokeLoader
Glupteba payload
Detected Djvu ransomware
Suspicious use of NtCreateUserProcessOtherParentProcess
Stops running service(s)
Downloads MZ/PE file
Drops file in Drivers directory
Modifies Windows Firewall
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Modifies file permissions
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Unsigned PE
Program crash
Uses Task Scheduler COM API
outlook_win_path
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
outlook_office_path
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-15 11:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-15 11:35
Reported
2023-10-15 11:38
Platform
win10v2004-20230915-en
Max time kernel
127s
Max time network
153s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 996 created 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe | C:\Windows\Explorer.EXE |
| PID 996 created 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe | C:\Windows\Explorer.EXE |
| PID 996 created 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe | C:\Windows\Explorer.EXE |
| PID 996 created 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe | C:\Windows\Explorer.EXE |
| PID 996 created 1084 | N/A | C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe | C:\Windows\Explorer.EXE |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\170D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\32B7.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d25d5cbb-611d-457a-b30e-17c0eb7d1d06\\170D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\170D.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5008 set thread context of 5088 | N/A | C:\Users\Admin\AppData\Local\Temp\170D.exe | C:\Users\Admin\AppData\Local\Temp\170D.exe |
| PID 4804 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\18D3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 744 set thread context of 388 | N/A | C:\Users\Admin\AppData\Local\Temp\170D.exe | C:\Users\Admin\AppData\Local\Temp\170D.exe |
| PID 2456 set thread context of 4288 | N/A | C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe |
| PID 700 set thread context of 964 | N/A | C:\Users\Admin\AppData\Local\Temp\270D.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\170D.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1662 = "Bahia Standard Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\687E.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3.exe
"C:\Users\Admin\AppData\Local\Temp\406d3c343fac7b3b70790be2ee88c7aef0a43c0aa71ee9e501847bb58df9caa3.exe"
C:\Users\Admin\AppData\Local\Temp\170D.exe
C:\Users\Admin\AppData\Local\Temp\170D.exe
C:\Users\Admin\AppData\Local\Temp\18D3.exe
C:\Users\Admin\AppData\Local\Temp\18D3.exe
C:\Users\Admin\AppData\Local\Temp\170D.exe
C:\Users\Admin\AppData\Local\Temp\170D.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d25d5cbb-611d-457a-b30e-17c0eb7d1d06" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\270D.exe
C:\Users\Admin\AppData\Local\Temp\270D.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\2B73.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\2B73.dll
C:\Users\Admin\AppData\Local\Temp\170D.exe
"C:\Users\Admin\AppData\Local\Temp\170D.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\32B7.exe
C:\Users\Admin\AppData\Local\Temp\32B7.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\170D.exe
"C:\Users\Admin\AppData\Local\Temp\170D.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 388 -ip 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 388 -s 568
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\687E.exe
C:\Users\Admin\AppData\Local\Temp\687E.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Users\Admin\AppData\Local\Temp\687E.exe
"C:\Users\Admin\AppData\Local\Temp\687E.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| NL | 194.169.175.127:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| US | 95.214.27.254:80 | 95.214.27.254 | tcp |
| US | 8.8.8.8:53 | 254.27.214.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | parrotnight.com | udp |
| US | 188.114.96.0:443 | parrotnight.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| FR | 51.255.152.132:36011 | tcp | |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp | |
| US | 8.8.8.8:53 | 99040e69-9764-4728-aca4-d85170ac19d7.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FR | 51.255.152.132:36011 | tcp |
Files
memory/4808-1-0x0000000000690000-0x0000000000790000-memory.dmp
memory/4808-2-0x0000000000650000-0x000000000065B000-memory.dmp
memory/4808-3-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/1084-4-0x0000000002A50000-0x0000000002A66000-memory.dmp
memory/4808-5-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/4808-8-0x0000000000650000-0x000000000065B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\170D.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\170D.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\18D3.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/5008-23-0x0000000004920000-0x00000000049C2000-memory.dmp
memory/5008-24-0x00000000049D0000-0x0000000004AEB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\170D.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/5088-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5088-26-0x0000000000400000-0x0000000000537000-memory.dmp
memory/5088-29-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\18D3.exe
| MD5 | 5b293206e810d2871736e1ecbd9cc196 |
| SHA1 | 47c0baadfba1876cb8ffdff6f057f16f2076197f |
| SHA256 | f31ce717ef107b5c0901a0c8581553b71ad7a09180e28a1575b0955905519628 |
| SHA512 | 110ae30f84747fb35cc75f6b2608aea5f90f25c3b2c49105deedc121d2ab8036949f58acc3d436b5d4584c9c1a7a30bac74f501b786f4e71d6414950d19fbb32 |
memory/5088-30-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\270D.exe
| MD5 | 22b5ba8e29ad46aea74520369763650a |
| SHA1 | 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec |
| SHA256 | ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec |
| SHA512 | 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead |
C:\Users\Admin\AppData\Local\d25d5cbb-611d-457a-b30e-17c0eb7d1d06\170D.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
C:\Users\Admin\AppData\Local\Temp\2B73.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
C:\Users\Admin\AppData\Local\Temp\2B73.dll
| MD5 | 55f1c499b31e58a29f6dacea7580fb69 |
| SHA1 | c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a |
| SHA256 | b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854 |
| SHA512 | 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1 |
memory/3284-46-0x0000000010000000-0x0000000010251000-memory.dmp
memory/3284-45-0x0000000000AA0000-0x0000000000AA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\32B7.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\32B7.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2732-56-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/5088-62-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\170D.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/744-66-0x0000000004770000-0x000000000480F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\170D.exe
| MD5 | b5a49d7c6a9c31248c0676d0fc921967 |
| SHA1 | e2226592e6cebf82f5de1e76380bbb01291344bb |
| SHA256 | e62936b1d28e5d77393275f6075ec71d424568469a2c7b6cec687553aeacfb22 |
| SHA512 | 20f3f6b77bf6fb5c090730410bd110c017a92a9cae407850d9c254491fd0aca2d14ef7c3b94ca112ca6725360d2264188a335addd8c79d4b7ffde0832a0bbe8c |
memory/388-69-0x0000000000400000-0x0000000000537000-memory.dmp
memory/388-70-0x0000000000400000-0x0000000000537000-memory.dmp
memory/388-72-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2732-73-0x0000000072B90000-0x0000000073340000-memory.dmp
memory/3284-74-0x0000000000E30000-0x0000000000F4B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | 9ecbc5150ec5c879ba5d6ea97af9ce82 |
| SHA1 | 809e06075c153db0a2bbae74cdb2f1d8486142bb |
| SHA256 | b7290012dcfee67e719bb2fb016857224e7169974d7ccc71226e5d322ec84395 |
| SHA512 | 5d8dfe190604c973257d6a9604a05b271cf6b9543094c24d3ed37abd2c77ce2485f03f3b6aec3622370b1d4aeb2283c798e515c339e0786eccc075cfc01e19d6 |
memory/2732-81-0x0000000007DC0000-0x0000000008364000-memory.dmp
memory/2732-84-0x00000000078B0000-0x0000000007942000-memory.dmp
memory/3284-85-0x0000000002AB0000-0x0000000002BB1000-memory.dmp
memory/3284-86-0x0000000002AB0000-0x0000000002BB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | 9ecbc5150ec5c879ba5d6ea97af9ce82 |
| SHA1 | 809e06075c153db0a2bbae74cdb2f1d8486142bb |
| SHA256 | b7290012dcfee67e719bb2fb016857224e7169974d7ccc71226e5d322ec84395 |
| SHA512 | 5d8dfe190604c973257d6a9604a05b271cf6b9543094c24d3ed37abd2c77ce2485f03f3b6aec3622370b1d4aeb2283c798e515c339e0786eccc075cfc01e19d6 |
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | 9ecbc5150ec5c879ba5d6ea97af9ce82 |
| SHA1 | 809e06075c153db0a2bbae74cdb2f1d8486142bb |
| SHA256 | b7290012dcfee67e719bb2fb016857224e7169974d7ccc71226e5d322ec84395 |
| SHA512 | 5d8dfe190604c973257d6a9604a05b271cf6b9543094c24d3ed37abd2c77ce2485f03f3b6aec3622370b1d4aeb2283c798e515c339e0786eccc075cfc01e19d6 |
memory/3284-93-0x0000000002AB0000-0x0000000002BB1000-memory.dmp
memory/2456-96-0x0000000000600000-0x0000000000609000-memory.dmp
memory/2456-95-0x0000000000610000-0x0000000000710000-memory.dmp
memory/3284-97-0x0000000002AB0000-0x0000000002BB1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
| MD5 | 9ecbc5150ec5c879ba5d6ea97af9ce82 |
| SHA1 | 809e06075c153db0a2bbae74cdb2f1d8486142bb |
| SHA256 | b7290012dcfee67e719bb2fb016857224e7169974d7ccc71226e5d322ec84395 |
| SHA512 | 5d8dfe190604c973257d6a9604a05b271cf6b9543094c24d3ed37abd2c77ce2485f03f3b6aec3622370b1d4aeb2283c798e515c339e0786eccc075cfc01e19d6 |
memory/4288-98-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe
| MD5 | 62962daa1b19bbcc2db10b7bfd531ea6 |
| SHA1 | d64bae91091eda6a7532ebec06aa70893b79e1f8 |
| SHA256 | 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880 |
| SHA512 | 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7 |
memory/4288-105-0x0000000000400000-0x0000000000409000-memory.dmp
memory/700-106-0x00007FF79E960000-0x00007FF79F2B1000-memory.dmp
memory/2732-117-0x0000000072B90000-0x0000000073340000-memory.dmp
memory/4288-119-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1084-118-0x0000000002BA0000-0x0000000002BB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 054027c231309266ea180ae242c0eee7 |
| SHA1 | 7aeeb1204f6a1e2844809f395a1fe19b5a37d10e |
| SHA256 | ea59c65d122c2f009b0160441f483630cc14bf36a1558d5a2c43ed14b74fe45b |
| SHA512 | 6c2691973ca1c79648f5d48d5ed7de34af4c2ee04fb54046e51f57c9f5480821d38fa8c4fe0a736a74e1bf2f5ac00b869561dae159453c0fa64a4a000911cf7c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | b3cc1eab5e14e2d7a01804b22ecf4043 |
| SHA1 | 1883aeaac8649c5b6848f2131ec56464b964f8fc |
| SHA256 | 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324 |
| SHA512 | adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f9f228ebc8114749991a36666ffd02fd |
| SHA1 | 9f82db7873e1d15a96986ac44a9e6ada75609ebb |
| SHA256 | 286665666c9362c602448232c7484fd6719dd3901f557a9c828a7567c6ce33c7 |
| SHA512 | ddfa7d3ed2d5065670bf85a0348c1b805c1ecc3f6262fd2783bc36675e73279cc569703b04fed45956409949c0df2e9f61d3ec8a3d7e4dbdcddc3e7dbc52e32d |
memory/700-130-0x00007FF79E960000-0x00007FF79F2B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\687E.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2732-144-0x0000000007AA0000-0x0000000007AB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\687E.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/700-147-0x00007FF79E960000-0x00007FF79F2B1000-memory.dmp
memory/3796-151-0x0000000004C40000-0x000000000503B000-memory.dmp
memory/3796-152-0x0000000005140000-0x0000000005A2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/2732-159-0x0000000007AA0000-0x0000000007AB0000-memory.dmp
memory/3796-162-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1300-177-0x0000000000CA0000-0x0000000000D0B000-memory.dmp
memory/2732-176-0x0000000007D10000-0x0000000007D1A000-memory.dmp
memory/700-178-0x00007FF79E960000-0x00007FF79F2B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1300-181-0x0000000000D10000-0x0000000000D90000-memory.dmp
memory/1300-182-0x0000000000CA0000-0x0000000000D0B000-memory.dmp
memory/3796-183-0x0000000004C40000-0x000000000503B000-memory.dmp
memory/932-184-0x0000000000140000-0x000000000014C000-memory.dmp
memory/932-189-0x0000000000140000-0x000000000014C000-memory.dmp
memory/3796-188-0x0000000005140000-0x0000000005A2B000-memory.dmp
memory/2732-210-0x0000000008990000-0x0000000008FA8000-memory.dmp
memory/1300-212-0x0000000000CA0000-0x0000000000D0B000-memory.dmp
memory/2732-211-0x0000000008480000-0x000000000858A000-memory.dmp
memory/2732-213-0x0000000008390000-0x00000000083A2000-memory.dmp
memory/2732-214-0x00000000083F0000-0x000000000842C000-memory.dmp
memory/2732-215-0x0000000008430000-0x000000000847C000-memory.dmp
memory/3796-216-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3804-217-0x00000000046D0000-0x0000000004706000-memory.dmp
memory/3804-219-0x0000000004840000-0x0000000004850000-memory.dmp
memory/3804-218-0x0000000072B90000-0x0000000073340000-memory.dmp
memory/3804-220-0x0000000004E80000-0x00000000054A8000-memory.dmp
memory/3796-223-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3804-226-0x00000000054B0000-0x00000000054D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jciwlkai.f0m.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3804-234-0x00000000056D0000-0x0000000005736000-memory.dmp
memory/3804-235-0x00000000057B0000-0x0000000005816000-memory.dmp
memory/3804-236-0x00000000058A0000-0x0000000005BF4000-memory.dmp
memory/3804-237-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
memory/3804-240-0x0000000006210000-0x0000000006254000-memory.dmp
memory/700-241-0x00007FF79E960000-0x00007FF79F2B1000-memory.dmp
memory/996-242-0x00007FF7AC230000-0x00007FF7AC7D1000-memory.dmp
memory/3804-243-0x0000000004840000-0x0000000004850000-memory.dmp
memory/3804-244-0x0000000006E00000-0x0000000006E76000-memory.dmp
memory/3804-245-0x0000000072B90000-0x0000000073340000-memory.dmp
memory/3804-246-0x0000000007740000-0x0000000007DBA000-memory.dmp
memory/3804-247-0x00000000070C0000-0x00000000070DA000-memory.dmp
memory/3804-248-0x0000000004840000-0x0000000004850000-memory.dmp
memory/3804-249-0x0000000004840000-0x0000000004850000-memory.dmp
memory/3804-250-0x000000007F070000-0x000000007F080000-memory.dmp
memory/3804-251-0x0000000007290000-0x00000000072C2000-memory.dmp
memory/3804-252-0x0000000074360000-0x00000000743AC000-memory.dmp
memory/3804-253-0x000000006C550000-0x000000006C8A4000-memory.dmp
memory/3804-263-0x0000000007270000-0x000000000728E000-memory.dmp
memory/3804-264-0x00000000072D0000-0x0000000007373000-memory.dmp
memory/3804-265-0x00000000073B0000-0x00000000073BA000-memory.dmp
memory/964-266-0x0000000000910000-0x000000000096A000-memory.dmp
memory/700-267-0x00007FF79E960000-0x00007FF79F2B1000-memory.dmp
memory/3796-268-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/3804-269-0x0000000007470000-0x0000000007506000-memory.dmp
memory/964-270-0x0000000072B90000-0x0000000073340000-memory.dmp
memory/964-271-0x0000000007540000-0x0000000007550000-memory.dmp
memory/3804-272-0x00000000073F0000-0x0000000007401000-memory.dmp
memory/3804-273-0x0000000007430000-0x000000000743E000-memory.dmp
memory/3804-274-0x0000000007440000-0x0000000007454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\687E.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/3796-288-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2808-343-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c809136afa64f6b350019fe0645e0fda |
| SHA1 | 12f34bec3458fefbafddbd03000bec0f034560e0 |
| SHA256 | 0ee094fdb01d74d173e92ada7250c754f430226007d955675cacde996d9aab3f |
| SHA512 | e70bb15016ba7e236d4e2e390236839f0984662fb4e87ddbc9cebd45747c75c680ad09acf38ea59a9b120f91cc8700a05b41abd4c3661b5959767b0d75d87bbd |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/996-392-0x00007FF7AC230000-0x00007FF7AC7D1000-memory.dmp
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 30c13f525a4b08bc4ff8a289c73ea83a |
| SHA1 | 9f7e9963b2c28a5000374ecc6e145fd057d927ab |
| SHA256 | 7fd551cd04cc3e03e9bd7dff9de721dcbcb4fb8c10e8ba32fadffbac99a28546 |
| SHA512 | f1bd7dd2fa280aee1dba020ab4e9c230d2a7387f0103d81874ddfb050baae515d693b10d94aa27b2f4be2c1be8d9dfd166e26f68262b619419d7305cfefd7142 |
memory/2808-421-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7f93cbbd7bac858b7dd6a9062a4d0c2d |
| SHA1 | 76c830a50f96043b9f600398a21a99d51e4b7e9c |
| SHA256 | 6352596598f749399241dcc0033c89ef9c52bfe6a2b7188e2373a4b238594465 |
| SHA512 | fd9dd090ed7176e0b9e86492c8baca0e232f3fcafa14415a0138d47573b1a1b1afd9847f2268513095abdd9acc396b8b63bbb2c4c6b7afa9fc6e373600207b46 |
memory/2276-441-0x00007FF65B520000-0x00007FF65BAC1000-memory.dmp
memory/2808-456-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9b9bb3ff3ba054ecef26f7ff313b12d1 |
| SHA1 | 44818560d00b197b2218ec0cc1d8e51b37e3eb03 |
| SHA256 | 8eeeecb1297679b0763c205410bb496daa24e6f48212c8aa63210f885b30755f |
| SHA512 | 09617b5388b220f28c2e246096423a4b7f6e0a69279eae59f9b7203fc00ffd5c15daa26e7895be854192f6dc40b13568e080a842ca24298ca68ba1bd270ea96b |
memory/3744-472-0x0000000000400000-0x0000000002FB8000-memory.dmp