Malware Analysis Report

2025-01-18 05:35

Sample ID 231015-rvhwlafh6w
Target NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe
SHA256 467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48d
Tags
amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48d

Threat Level: Known bad

The file NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar d37c48c18c73cc0e155c7e1dfde06db9 logsdiller cloud (tg: @logsdillabot) backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware stealer trojan pub1

Glupteba payload

Glupteba

SmokeLoader

Amadey

Vidar

RedLine

RedLine payload

Detected Djvu ransomware

Djvu Ransomware

Windows security bypass

Modifies Windows Firewall

Downloads MZ/PE file

Executes dropped EXE

Windows security modification

Reads user/profile data of web browsers

Modifies file permissions

Checks computer location settings

.NET Reactor proctector

Loads dropped DLL

Deletes itself

Looks up external IP address via web service

Adds Run key to start application

Accesses 2FA software files, possible credential harvesting

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Modifies system certificate store

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

outlook_win_path

Suspicious behavior: MapViewOfSection

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

outlook_office_path

Delays execution with timeout.exe

Checks processor information in registry

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-15 14:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-15 14:30

Reported

2023-10-15 14:35

Platform

win7-20230831-en

Max time kernel

155s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F28D.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\F28D.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a3f02447-3701-4d93-803b-687b9f7e531a\\CEC4.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\CEC4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231015143352.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\6772.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3E3F.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\F28D.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1228 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1228 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1228 wrote to memory of 2352 N/A N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2352 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2644 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Windows\SysWOW64\icacls.exe
PID 2644 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2644 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2644 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 2644 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1228 wrote to memory of 2952 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFB6.exe
PID 1228 wrote to memory of 2952 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFB6.exe
PID 1228 wrote to memory of 2952 N/A N/A C:\Users\Admin\AppData\Local\Temp\DFB6.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1928 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CEC4.exe C:\Users\Admin\AppData\Local\Temp\CEC4.exe
PID 1228 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3EB.exe
PID 1228 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3EB.exe
PID 1228 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3EB.exe
PID 1228 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3EB.exe
PID 1228 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe
PID 1228 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe
PID 1228 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe
PID 1228 wrote to memory of 476 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe
PID 476 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 476 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 476 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 476 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\E6C9.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 616 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1752 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 616 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 616 wrote to memory of 1328 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 2068 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1328 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1328 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1328 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\a3f02447-3701-4d93-803b-687b9f7e531a" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

"C:\Users\Admin\AppData\Local\Temp\CEC4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\DFB6.exe

C:\Users\Admin\AppData\Local\Temp\DFB6.exe

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

"C:\Users\Admin\AppData\Local\Temp\CEC4.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\E3EB.exe

C:\Users\Admin\AppData\Local\Temp\E3EB.exe

C:\Users\Admin\AppData\Local\Temp\E6C9.exe

C:\Users\Admin\AppData\Local\Temp\E6C9.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 72

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\F28D.exe

C:\Users\Admin\AppData\Local\Temp\F28D.exe

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

"C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FA5B.dll

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

"C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FA5B.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\FFF7.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\FFF7.dll

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

"C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe"

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

"C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\3E3F.exe

C:\Users\Admin\AppData\Local\Temp\3E3F.exe

C:\Users\Admin\AppData\Local\Temp\6772.exe

C:\Users\Admin\AppData\Local\Temp\6772.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231015143352.log C:\Windows\Logs\CBS\CbsPersist_20231015143352.cab

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 544

C:\Users\Admin\AppData\Local\Temp\F28D.exe

"C:\Users\Admin\AppData\Local\Temp\F28D.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {BD40726C-BAC1-4FB4-816A-3816766D4B54} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
KR 115.88.24.200:80 colisumy.com tcp
US 8.8.8.8:53 loveperry.org udp
US 172.67.213.185:443 loveperry.org tcp
KR 211.40.39.251:80 zexeq.com tcp
RU 79.137.192.18:80 79.137.192.18 tcp
KR 211.40.39.251:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
JP 23.207.106.113:443 steamcommunity.com tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 www.microsoft.com udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 2e8417d7-7159-4406-a39e-04e47aa04231.uuid.thestatsfiles.ru udp
RU 31.41.244.27:41140 tcp
RU 185.215.113.57:4090 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
JP 23.207.106.113:443 steamcommunity.com tcp
DE 128.140.102.206:80 128.140.102.206 tcp

Files

memory/2488-1-0x0000000000A00000-0x0000000000B00000-memory.dmp

memory/2488-2-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2488-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2488-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1228-4-0x00000000029A0000-0x00000000029B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2352-20-0x0000000004460000-0x00000000044F1000-memory.dmp

memory/2352-21-0x0000000004460000-0x00000000044F1000-memory.dmp

memory/2352-22-0x0000000004590000-0x00000000046AB000-memory.dmp

\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2644-27-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2644-30-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2644-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\a3f02447-3701-4d93-803b-687b9f7e531a\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2644-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1928-54-0x0000000002C60000-0x0000000002CF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\DFB6.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

memory/1928-58-0x0000000002C60000-0x0000000002CF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\DFB6.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\CEC4.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2508-66-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-67-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E3EB.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\E3EB.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2408d5be1b7b9d702a2bfc6de1db8b9c
SHA1 9e31eb1155b3b785fa62cbb7d4018e65b2075c99
SHA256 8209d5c464a266086c464e1ee3348fe3f48b16d91e7e5685ea3eb55b326ba951
SHA512 223ed7f9930eade6340d9a971aade936d6719312c3e13ca44a828a7704c041534926de86edd5e06b49caa654e949a2297815dc4886181f839dc73d496ef3fe83

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b3cc1eab5e14e2d7a01804b22ecf4043
SHA1 1883aeaac8649c5b6848f2131ec56464b964f8fc
SHA256 25d844b5a1806454aa4b221dc31f3423928ffcd816771e7d01797831e0a29324
SHA512 adaf9402ac330d8daae46af707650d579c9f20c1080c6d97fd38f8e119a59793dd3ec3998fd2fbea3a578087d64b831cd25664e3442e236477a3b79fe6d387f2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 5bdf0f0e46ec31621135ed84baf25911
SHA1 818af336298a731e3de446fd4d902daa721d7694
SHA256 33b4da828251a5064c7f1615d8a490aa6172d4a028cc1da66328a1ac3662909f
SHA512 17a7b876a63cce52a8cf69b38ca13bb01ea21040809b9d6ffaecef4f469af2ffd9fdbcd9fbc7e16b09140d0f5fec033f421181119e39c8f77247726cd9197e37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 995c5244fa4f363c5c4d8e6b75d56210
SHA1 eb0d336e17a678ba9a8b6e993854af78287bafc1
SHA256 2108e50a51bfc77221158ce3945a93be2366e017dbc1f7631d2bc31caaceff2d
SHA512 3ca495763f9fb1d69db7d74b7cf5f3db312cb62be08e93e153c30c1ce182ef429f03370ec5c3b62c1cfe200d7dad52df76e191c64a55788be2eeaeb647680f33

C:\Users\Admin\AppData\Local\Temp\CabE60B.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\Local\Temp\E6C9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E6C9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\E6C9.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2508-98-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-99-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2396-101-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-106-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-108-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-105-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2396-104-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-102-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-103-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2396-110-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\E3EB.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\E3EB.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\E3EB.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

\Users\Admin\AppData\Local\Temp\E3EB.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2396-115-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/2508-122-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2508-121-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F28D.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\F28D.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1556-130-0x0000000004890000-0x0000000004C88000-memory.dmp

memory/2396-129-0x00000000003B0000-0x00000000003F0000-memory.dmp

memory/2508-119-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1556-131-0x0000000004890000-0x0000000004C88000-memory.dmp

memory/1556-135-0x0000000004C90000-0x000000000557B000-memory.dmp

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/1556-144-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2508-151-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1168-152-0x0000000000220000-0x0000000000271000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA5B.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2204-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1168-148-0x00000000023E0000-0x00000000024E0000-memory.dmp

memory/2204-154-0x0000000000400000-0x0000000000465000-memory.dmp

\Users\Admin\AppData\Local\Temp\FA5B.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build2.exe

MD5 22f2fd94f57b71f36a31ea18be7d4b34
SHA1 a8dc0a1af7978fea291f5306f1937a90ac9b6b5b
SHA256 bf1d4645972f8a10ef66d4343d0b3dc5b66ea2050a061e8194e6858a88220454
SHA512 5b1811dbded599cf9580efe2093594b31204404ec3f69f8c061fac1f2eee261f9837adf63a4c55a206d39f9071ade5b663615ba05d9a023c69a7f2b0f6bcf173

memory/2204-158-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2204-159-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2172-161-0x00000000001A0000-0x00000000001A6000-memory.dmp

memory/2172-160-0x0000000010000000-0x0000000010251000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFF7.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

\Users\Admin\AppData\Local\Temp\FFF7.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2876-166-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2876-168-0x0000000000110000-0x0000000000116000-memory.dmp

\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2508-179-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2172-180-0x00000000023C0000-0x00000000024DB000-memory.dmp

memory/2172-183-0x0000000001EE0000-0x0000000001FE1000-memory.dmp

memory/2172-184-0x0000000001EE0000-0x0000000001FE1000-memory.dmp

memory/2952-182-0x000000013F430000-0x000000013FD81000-memory.dmp

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2172-188-0x0000000001EE0000-0x0000000001FE1000-memory.dmp

\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/1556-187-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2204-189-0x0000000000400000-0x0000000000465000-memory.dmp

memory/2172-191-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2172-190-0x0000000001EE0000-0x0000000001FE1000-memory.dmp

memory/2952-194-0x000000013F430000-0x000000013FD81000-memory.dmp

memory/2396-193-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/2396-198-0x00000000003B0000-0x00000000003F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar46F0.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

memory/2204-206-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2572-220-0x0000000000400000-0x0000000000406000-memory.dmp

memory/1984-224-0x0000000000952000-0x0000000000963000-memory.dmp

memory/1984-226-0x0000000000220000-0x0000000000224000-memory.dmp

C:\Users\Admin\AppData\Local\ead4ede3-5efe-43c3-8cd5-7a07a0ba18e7\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2572-228-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

C:\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

C:\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

memory/2864-244-0x0000000001370000-0x00000000018AA000-memory.dmp

memory/2864-243-0x0000000072F30000-0x000000007361E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F28D.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2864-257-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

memory/2864-269-0x0000000072F30000-0x000000007361E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6772.exe

MD5 89bf35a4cd2f8f08d894c51e761ff765
SHA1 62e4942d4f167c5ff3145e29c73b9b1a1c427885
SHA256 86b45c17c8eda8587a7f8107ecc81c79b4367adeda46ea140f64326f19d659c6
SHA512 107ce43b926eb4529a1293354d0b67099a395cf272679cda3127979244debb12241c96387ebc3b48d2f0b66cb4981d3601b5ca70c3a7b44c6a8791c4cd8c8147

C:\Users\Admin\AppData\Local\Temp\6772.exe

MD5 89bf35a4cd2f8f08d894c51e761ff765
SHA1 62e4942d4f167c5ff3145e29c73b9b1a1c427885
SHA256 86b45c17c8eda8587a7f8107ecc81c79b4367adeda46ea140f64326f19d659c6
SHA512 107ce43b926eb4529a1293354d0b67099a395cf272679cda3127979244debb12241c96387ebc3b48d2f0b66cb4981d3601b5ca70c3a7b44c6a8791c4cd8c8147

memory/1528-294-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/2864-295-0x0000000000EB0000-0x0000000000EF0000-memory.dmp

memory/1528-296-0x00000000009F0000-0x0000000000B96000-memory.dmp

memory/2288-322-0x0000000000130000-0x00000000001B0000-memory.dmp

memory/2288-324-0x00000000000C0000-0x000000000012B000-memory.dmp

memory/1528-336-0x0000000002130000-0x0000000002131000-memory.dmp

memory/1956-335-0x0000000000060000-0x000000000006C000-memory.dmp

memory/1528-334-0x00000000042E0000-0x0000000004320000-memory.dmp

memory/2288-339-0x00000000000C0000-0x000000000012B000-memory.dmp

\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

\Users\Admin\AppData\Local\Temp\3E3F.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

C:\Users\Admin\AppData\Local\Temp\F28D.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2096-350-0x0000000004A30000-0x0000000004E28000-memory.dmp

memory/1556-351-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1528-352-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/2096-353-0x0000000000400000-0x0000000002FB8000-memory.dmp

\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2628-366-0x0000000004A70000-0x0000000004E68000-memory.dmp

memory/2096-367-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2628-368-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1528-370-0x00000000042E0000-0x0000000004320000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1936-382-0x00000000000D0000-0x000000000012A000-memory.dmp

memory/1936-384-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/1936-385-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/1528-386-0x00000000042C0000-0x00000000042DC000-memory.dmp

memory/2840-392-0x0000000000970000-0x0000000000A70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/2628-402-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1936-428-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/1936-429-0x00000000023B0000-0x00000000023F0000-memory.dmp

memory/1528-430-0x0000000002270000-0x0000000002271000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/1684-452-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1528-453-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/1040-456-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1684-461-0x0000000001E90000-0x0000000001ED0000-memory.dmp

memory/1684-462-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/1684-476-0x0000000001E90000-0x0000000001ED0000-memory.dmp

memory/1040-475-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

memory/1684-483-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/1040-489-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1936-539-0x0000000072F30000-0x000000007361E000-memory.dmp

memory/1684-540-0x0000000072F30000-0x000000007361E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-15 14:30

Reported

2023-10-15 14:35

Platform

win10v2004-20230915-en

Max time kernel

139s

Max time network

185s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F943.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E2AA.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\\E2AA.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\E2AA.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FDE7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rghcgts N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rghcgts N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FDE7.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FDE7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rghcgts N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE7.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3C8A.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3A09.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 4712 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 2572 wrote to memory of 4712 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 2572 wrote to memory of 4712 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 4712 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 2572 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Temp\F326.exe
PID 2572 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Temp\F326.exe
PID 2572 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\F588.exe
PID 2572 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\F588.exe
PID 2572 wrote to memory of 4068 N/A N/A C:\Users\Admin\AppData\Local\Temp\F588.exe
PID 3948 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Windows\SysWOW64\icacls.exe
PID 3948 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Windows\SysWOW64\icacls.exe
PID 3948 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Windows\SysWOW64\icacls.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4068 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\F588.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2572 wrote to memory of 972 N/A N/A C:\Users\Admin\AppData\Local\Temp\F943.exe
PID 2572 wrote to memory of 972 N/A N/A C:\Users\Admin\AppData\Local\Temp\F943.exe
PID 2572 wrote to memory of 972 N/A N/A C:\Users\Admin\AppData\Local\Temp\F943.exe
PID 3948 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 3948 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 3948 wrote to memory of 1164 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 972 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\F943.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 972 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\F943.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 972 wrote to memory of 376 N/A C:\Users\Admin\AppData\Local\Temp\F943.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 2572 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE7.exe
PID 2572 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE7.exe
PID 2572 wrote to memory of 3124 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDE7.exe
PID 376 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1756 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 376 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1164 wrote to memory of 4332 N/A C:\Users\Admin\AppData\Local\Temp\E2AA.exe C:\Users\Admin\AppData\Local\Temp\E2AA.exe
PID 1876 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 3360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1876 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1876 wrote to memory of 2236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 1876 wrote to memory of 372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.467166f371775ca6da6a789326f6fc4501f4f76f4311fabd5e509574f13cf48dexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

C:\Users\Admin\AppData\Local\Temp\F326.exe

C:\Users\Admin\AppData\Local\Temp\F326.exe

C:\Users\Admin\AppData\Local\Temp\F588.exe

C:\Users\Admin\AppData\Local\Temp\F588.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4068 -ip 4068

C:\Users\Admin\AppData\Local\Temp\F943.exe

C:\Users\Admin\AppData\Local\Temp\F943.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 140

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

"C:\Users\Admin\AppData\Local\Temp\E2AA.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\FDE7.exe

C:\Users\Admin\AppData\Local\Temp\FDE7.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

"C:\Users\Admin\AppData\Local\Temp\E2AA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4332 -ip 4332

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 568

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\32E3.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\32E3.dll

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\34C8.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\34C8.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Users\Admin\AppData\Local\Temp\3A09.exe

C:\Users\Admin\AppData\Local\Temp\3A09.exe

C:\Users\Admin\AppData\Local\Temp\3C8A.exe

C:\Users\Admin\AppData\Local\Temp\3C8A.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\system32\rundll32.exe

C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask

C:\Users\Admin\AppData\Roaming\rghcgts

C:\Users\Admin\AppData\Roaming\rghcgts

C:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\E2AA.exe

C:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\E2AA.exe --Task

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 wirtshauspost.at udp
KR 211.119.84.111:80 wirtshauspost.at tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
RU 185.215.113.57:4090 tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
US 8.8.8.8:53 57.113.215.185.in-addr.arpa udp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
KR 211.119.84.111:80 wirtshauspost.at tcp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp

Files

memory/1604-1-0x00000000008C0000-0x00000000009C0000-memory.dmp

memory/1604-2-0x0000000000820000-0x000000000082B000-memory.dmp

memory/1604-3-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/2572-4-0x0000000003200000-0x0000000003216000-memory.dmp

memory/1604-5-0x0000000000400000-0x00000000005B3000-memory.dmp

memory/1604-8-0x0000000000820000-0x000000000082B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4712-20-0x0000000004860000-0x00000000048F8000-memory.dmp

memory/4712-21-0x00000000049F0000-0x0000000004B0B000-memory.dmp

memory/3948-24-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3948-22-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-25-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3948-26-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F326.exe

MD5 22b5ba8e29ad46aea74520369763650a
SHA1 5477b1f2384bc99e50cf8414c6adfe2e9c0ab2ec
SHA256 ebd8083f3e802cac490686d05a3fe08e2305a6657a9af5ef38fe772496f621ec
SHA512 38cb42bbb50a3aca19c3af8af01bf5d46e27841f50df2fc421183550daad6b65f91c3e454705a9e3ad9706a198c7bd928d6e2d1487a369cd7d3788e547e6eead

C:\Users\Admin\AppData\Local\Temp\F588.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\F588.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2448-41-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F943.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\F943.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2448-48-0x00000000738D0000-0x0000000074080000-memory.dmp

C:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\E2AA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/2448-50-0x00000000072F0000-0x0000000007894000-memory.dmp

memory/2448-51-0x0000000006DE0000-0x0000000006E72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2448-57-0x0000000006F60000-0x0000000006F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\FDE7.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\FDE7.exe

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3948-65-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2448-64-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/3124-69-0x0000000000730000-0x0000000000830000-memory.dmp

memory/3124-70-0x0000000000720000-0x000000000072B000-memory.dmp

memory/3124-72-0x0000000000400000-0x00000000005B5000-memory.dmp

memory/1164-73-0x0000000002EF0000-0x0000000002F83000-memory.dmp

memory/4332-76-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2448-77-0x0000000007EC0000-0x00000000084D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2AA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

memory/4332-78-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4332-81-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2448-80-0x0000000007170000-0x000000000727A000-memory.dmp

memory/2448-82-0x0000000007080000-0x0000000007092000-memory.dmp

memory/2448-83-0x00000000070E0000-0x000000000711C000-memory.dmp

memory/2448-84-0x0000000007120000-0x000000000716C000-memory.dmp

memory/2448-89-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/2572-90-0x0000000003220000-0x0000000003236000-memory.dmp

memory/3124-91-0x0000000000400000-0x00000000005B5000-memory.dmp

memory/1152-94-0x00007FF60FC30000-0x00007FF610581000-memory.dmp

memory/2448-95-0x0000000006F60000-0x0000000006F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\32E3.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

C:\Users\Admin\AppData\Local\Temp\32E3.dll

MD5 55f1c499b31e58a29f6dacea7580fb69
SHA1 c6e5c6a4bb84374a6b172e8eb0c43aaab5423e1a
SHA256 b2fadb2f33351919a782043b2898b201b7420fd1d57800a1d144710156640854
SHA512 9c2f2189e686e05585c6afef0cb4608b5c81ec89f48b992c600fa95ede32a51dc1ee53df518f97b3fb1c8c096adbc3534562f3d6af921bd9b1781fa9dd7786e1

memory/2572-104-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-101-0x0000000003270000-0x0000000003280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C8.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/2572-110-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-109-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-112-0x0000000003270000-0x0000000003280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\34C8.dll

MD5 fe7facf5c1db2d17313299c58c6e1ca2
SHA1 4dc53db5c9c8ac085f329dec8be5d325a1b46ac5
SHA256 3a566e1932fd6352dbc9e7cd1e5f40c2ca759fd52dd0283bc6284741d407128b
SHA512 1fbb414a57978f8304140fb29f9fb3251ab237b7a776ec5aded99d04ae18b35c7985e956862044c4028c57ae448bc0d45c85a42d94ca440c6063ada3a4318060

memory/4128-121-0x0000000000FB0000-0x000000000100A000-memory.dmp

memory/2572-126-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-128-0x0000000000780000-0x0000000000786000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C8A.exe

MD5 89bf35a4cd2f8f08d894c51e761ff765
SHA1 62e4942d4f167c5ff3145e29c73b9b1a1c427885
SHA256 86b45c17c8eda8587a7f8107ecc81c79b4367adeda46ea140f64326f19d659c6
SHA512 107ce43b926eb4529a1293354d0b67099a395cf272679cda3127979244debb12241c96387ebc3b48d2f0b66cb4981d3601b5ca70c3a7b44c6a8791c4cd8c8147

memory/3452-138-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/2572-137-0x0000000003270000-0x0000000003280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C8A.exe

MD5 89bf35a4cd2f8f08d894c51e761ff765
SHA1 62e4942d4f167c5ff3145e29c73b9b1a1c427885
SHA256 86b45c17c8eda8587a7f8107ecc81c79b4367adeda46ea140f64326f19d659c6
SHA512 107ce43b926eb4529a1293354d0b67099a395cf272679cda3127979244debb12241c96387ebc3b48d2f0b66cb4981d3601b5ca70c3a7b44c6a8791c4cd8c8147

memory/1152-129-0x00007FF60FC30000-0x00007FF610581000-memory.dmp

memory/3452-134-0x0000000000CA0000-0x00000000011DA000-memory.dmp

memory/2572-132-0x0000000003270000-0x0000000003280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3A09.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

memory/2704-125-0x0000000000780000-0x0000000000786000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3A09.exe

MD5 dae038ac3f891d31151fc16e68275604
SHA1 af12a3da35e6bb46a30c1b05ef400d93c0828b2e
SHA256 a581962494dfb0c4dcd2b2207a9e3741d3c573556c380f9f8861369126399fca
SHA512 09beeea330750055415852899fa40476ff73532ae7716871fa84aa2e36a83fc40ef9149acc039d9e4e140e521d4d9ed7708b0753694c46d6454ca1696fde0e5c

memory/2572-122-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2704-120-0x0000000010000000-0x00000000101E5000-memory.dmp

memory/2572-117-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-114-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-111-0x0000000003270000-0x0000000003280000-memory.dmp

memory/4220-105-0x00000000015D0000-0x00000000015D6000-memory.dmp

memory/4220-106-0x0000000010000000-0x0000000010251000-memory.dmp

memory/2572-139-0x0000000003270000-0x0000000003280000-memory.dmp

memory/1768-143-0x0000000000CD0000-0x0000000000E76000-memory.dmp

memory/2572-145-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-147-0x0000000003270000-0x0000000003280000-memory.dmp

memory/2572-149-0x0000000003270000-0x0000000003280000-memory.dmp

memory/4928-148-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/2572-142-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/956-141-0x0000000000C60000-0x0000000000CCB000-memory.dmp

memory/2572-151-0x0000000003270000-0x0000000003280000-memory.dmp

memory/4128-150-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

memory/956-154-0x0000000000C60000-0x0000000000CCB000-memory.dmp

memory/2572-155-0x0000000003270000-0x0000000003280000-memory.dmp

memory/956-152-0x0000000000CD0000-0x0000000000D50000-memory.dmp

memory/2572-153-0x0000000003270000-0x0000000003280000-memory.dmp

memory/4928-156-0x00000000003D0000-0x00000000003DC000-memory.dmp

memory/2572-140-0x0000000003270000-0x0000000003280000-memory.dmp

memory/4128-157-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/1768-158-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/1768-159-0x0000000005B30000-0x0000000005B40000-memory.dmp

memory/1768-161-0x0000000005980000-0x0000000005A1C000-memory.dmp

memory/1768-164-0x0000000005720000-0x0000000005721000-memory.dmp

memory/4128-180-0x0000000008580000-0x00000000085E6000-memory.dmp

memory/956-184-0x0000000000C60000-0x0000000000CCB000-memory.dmp

C:\Users\Admin\AppData\Roaming\rghcgts

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

memory/3452-190-0x0000000077871000-0x0000000077872000-memory.dmp

memory/3452-191-0x0000000006CD0000-0x0000000007272000-memory.dmp

memory/2572-192-0x0000000000780000-0x0000000000786000-memory.dmp

memory/3452-193-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/2572-194-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/3452-195-0x0000000005B90000-0x0000000005BA0000-memory.dmp

memory/4128-197-0x0000000009370000-0x00000000093E6000-memory.dmp

memory/4128-196-0x0000000007BC0000-0x0000000007BD0000-memory.dmp

memory/1768-199-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/4128-201-0x00000000095C0000-0x0000000009782000-memory.dmp

memory/3452-200-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/4128-202-0x0000000009CC0000-0x000000000A1EC000-memory.dmp

memory/4128-203-0x00000000094F0000-0x000000000950E000-memory.dmp

memory/4128-204-0x00000000738D0000-0x0000000074080000-memory.dmp

memory/4220-206-0x0000000003290000-0x00000000033AB000-memory.dmp

memory/1768-209-0x0000000005A50000-0x0000000005A65000-memory.dmp

memory/1768-208-0x0000000005A50000-0x0000000005A65000-memory.dmp

memory/4220-212-0x00000000033B0000-0x00000000034B1000-memory.dmp

memory/1768-211-0x0000000005A50000-0x0000000005A65000-memory.dmp

memory/4220-213-0x00000000033B0000-0x00000000034B1000-memory.dmp

memory/1768-215-0x0000000005A50000-0x0000000005A65000-memory.dmp

memory/4220-217-0x00000000033B0000-0x00000000034B1000-memory.dmp

memory/1768-219-0x0000000005A50000-0x0000000005A65000-memory.dmp

memory/1768-221-0x0000000005A50000-0x0000000005A65000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\rghcgts

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a

C:\Users\Admin\AppData\Local\b7cd7b55-8fe0-418e-92f3-c271329b6bf7\E2AA.exe

MD5 7284de10c970ef4b23460ad9c8b125fe
SHA1 66c0712a8b92fdcf2a58951449828c70f7bdc1d9
SHA256 7ac247d6c3ac3cd5ff3a51d526acac42f44ffa44a80c52cc5808be9713db51ca
SHA512 0425bccda444e0283ad85be179a23883b4db07716248b165754fceb0e42ce3596bd0f48385f57f5009cb6c8616c3d41b741be2b92f8a28f5e5acba6295fea7b7

C:\Users\Admin\AppData\Roaming\rghcgts

MD5 a9991493e536d974f42a70843dae6209
SHA1 9f209dc03fbca602985e9f599732ebfc4b2a0cc3
SHA256 f1d980607c0be60b816ea70efaf0439323463f29ab6b56c4055a171461e31288
SHA512 3d8d8dd9c485e19a4009fb62af94c250d28eaa56f15a3adc189bf9299308ff16c2bff397074b219f9075093df75349062ad860f65957a1c336b0421ff5157b0a