Analysis Overview
SHA256
a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Detected Djvu ransomware
RedLine
Amadey
Glupteba
Glupteba payload
SmokeLoader
Djvu Ransomware
RedLine payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
UPX packed file
Modifies file permissions
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Checks computer location settings
Executes dropped EXE
Deletes itself
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Unsigned PE
outlook_office_path
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Uses Task Scheduler COM API
outlook_win_path
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: AddClipboardFormatListener
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-16 23:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-16 23:05
Reported
2023-10-16 23:10
Platform
win7-20230831-en
Max time kernel
273s
Max time network
327s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\D319.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\D319.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\D319.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF7F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF7F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D319.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2A3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B89.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\129C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sderjji | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF7F.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B89.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\0110cdfe-08c9-40ef-9d33-da6e5606db52\\CF7F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\CF7F.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\D319.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D319.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2224 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\CF7F.exe | C:\Users\Admin\AppData\Local\Temp\CF7F.exe |
| PID 2464 set thread context of 2064 | N/A | C:\Users\Admin\AppData\Local\Temp\2A3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1588 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\D319.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sderjji | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sderjji | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\sderjji | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\sderjji | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D319.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
C:\Users\Admin\AppData\Local\Temp\D319.exe
C:\Users\Admin\AppData\Local\Temp\D319.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EF41.dll
C:\Users\Admin\AppData\Local\Temp\2A3.exe
C:\Users\Admin\AppData\Local\Temp\2A3.exe
C:\Users\Admin\AppData\Local\Temp\B89.exe
C:\Users\Admin\AppData\Local\Temp\B89.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\EF41.dll
C:\Users\Admin\AppData\Local\Temp\129C.exe
C:\Users\Admin\AppData\Local\Temp\129C.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0110cdfe-08c9-40ef-9d33-da6e5606db52" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {1F65E9B5-57AA-439E-8D79-1135B1E771BC} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Roaming\sderjji
C:\Users\Admin\AppData\Roaming\sderjji
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231016231034.log C:\Windows\Logs\CBS\CbsPersist_20231016231034.cab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| GB | 145.239.200.147:30225 | tcp |
Files
memory/2628-1-0x0000000000250000-0x0000000000350000-memory.dmp
memory/2628-2-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2628-3-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/1236-4-0x0000000002A40000-0x0000000002A56000-memory.dmp
memory/2628-5-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2224-21-0x0000000001FC0000-0x0000000002052000-memory.dmp
memory/2224-22-0x0000000001FC0000-0x0000000002052000-memory.dmp
memory/2224-23-0x0000000002060000-0x000000000217B000-memory.dmp
\Users\Admin\AppData\Local\Temp\CF7F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2980-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF7F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/2980-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2224-31-0x0000000001FC0000-0x0000000002052000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D319.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/1588-35-0x0000000000DB0000-0x0000000001558000-memory.dmp
memory/2980-36-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1588-37-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-38-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-39-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-40-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-42-0x0000000075970000-0x00000000759B7000-memory.dmp
memory/1588-43-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-44-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-46-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-48-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-49-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-50-0x0000000075860000-0x0000000075970000-memory.dmp
memory/2980-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1588-51-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-53-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-54-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-56-0x0000000077A40000-0x0000000077A42000-memory.dmp
memory/1588-55-0x0000000075860000-0x0000000075970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EF41.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
C:\Users\Admin\AppData\Local\Temp\2A3.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
C:\Users\Admin\AppData\Local\Temp\2A3.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
C:\Users\Admin\AppData\Local\Temp\B89.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\B89.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1588-74-0x0000000000DB0000-0x0000000001558000-memory.dmp
memory/1588-75-0x0000000075970000-0x00000000759B7000-memory.dmp
memory/1588-76-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-77-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-78-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-79-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-80-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-81-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-82-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-83-0x0000000075860000-0x0000000075970000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\129C.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/2860-89-0x0000000004980000-0x0000000004D78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\129C.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
\Users\Admin\AppData\Local\Temp\EF41.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1540-97-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/1588-99-0x0000000000DB0000-0x0000000001558000-memory.dmp
memory/1380-100-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1076-101-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1588-117-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2860-119-0x0000000004D80000-0x000000000566B000-memory.dmp
memory/2860-120-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/1540-122-0x0000000000190000-0x0000000000196000-memory.dmp
memory/1380-126-0x00000000000F0000-0x0000000000170000-memory.dmp
memory/1380-128-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1076-129-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1076-130-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2860-131-0x0000000004980000-0x0000000004D78000-memory.dmp
memory/1540-132-0x00000000022E0000-0x00000000023E8000-memory.dmp
memory/1540-139-0x00000000023F0000-0x00000000024E0000-memory.dmp
memory/1540-140-0x00000000023F0000-0x00000000024E0000-memory.dmp
memory/1540-142-0x00000000023F0000-0x00000000024E0000-memory.dmp
memory/1540-145-0x00000000023F0000-0x00000000024E0000-memory.dmp
memory/1076-146-0x0000000000080000-0x0000000000087000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\0110cdfe-08c9-40ef-9d33-da6e5606db52\CF7F.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\129C.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Roaming\sderjji
| MD5 | 30712d0b7a5a46a3d8925f4c0786630e |
| SHA1 | 3a6b6c5da8dc4b1ef7c69c39e860b6504506dfbe |
| SHA256 | a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c |
| SHA512 | d2a1e540e2d7f1563b36741b75c12115433215799de750c7061f6cd62196f848c8f141eba548bccf64e95cb482a60f8be74a60710d81d646c48fa7801edc79f1 |
C:\Users\Admin\AppData\Roaming\sderjji
| MD5 | 30712d0b7a5a46a3d8925f4c0786630e |
| SHA1 | 3a6b6c5da8dc4b1ef7c69c39e860b6504506dfbe |
| SHA256 | a8aa91182c9febb8db8f1758c1c796b73cfd6cf8494e809cd35d7fee2276802c |
| SHA512 | d2a1e540e2d7f1563b36741b75c12115433215799de750c7061f6cd62196f848c8f141eba548bccf64e95cb482a60f8be74a60710d81d646c48fa7801edc79f1 |
memory/2064-162-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2064-164-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2064-165-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2064-166-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2064-163-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2064-167-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2064-170-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2064-172-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1236-173-0x0000000002CC0000-0x0000000002CD6000-memory.dmp
memory/1776-176-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/1776-177-0x00000000002F5000-0x0000000000308000-memory.dmp
memory/1588-178-0x00000000005E0000-0x00000000005FC000-memory.dmp
memory/1588-179-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-180-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-182-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-184-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-186-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-188-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-190-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-192-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-194-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-196-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-198-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-200-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/1588-202-0x00000000005E0000-0x00000000005F5000-memory.dmp
memory/2732-203-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2732-204-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2732-214-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1588-216-0x0000000075860000-0x0000000075970000-memory.dmp
memory/1588-217-0x0000000075970000-0x00000000759B7000-memory.dmp
memory/1588-218-0x0000000000DB0000-0x0000000001558000-memory.dmp
memory/1588-219-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/1588-220-0x0000000000C75000-0x0000000000CAD000-memory.dmp
memory/2732-228-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2064-231-0x00000000747B0000-0x0000000074E9E000-memory.dmp
memory/2064-234-0x00000000071F0000-0x0000000007230000-memory.dmp
memory/2732-235-0x0000000007320000-0x0000000007360000-memory.dmp
memory/2860-237-0x0000000000400000-0x0000000002FB8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-16 23:05
Reported
2023-10-16 23:07
Platform
win10v2004-20230915-en
Max time kernel
102s
Max time network
152s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\5A70.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\5A70.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\5A70.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\665A.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5772.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5772.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5A70.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5F54.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5772.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\665A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6AFF.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5772.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5772.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\512B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\da80cd89-7f5c-457e-bc11-c0367a81eea9\\5772.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\5772.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\5A70.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5A70.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1852 set thread context of 1436 | N/A | C:\Users\Admin\AppData\Local\Temp\5772.exe | C:\Users\Admin\AppData\Local\Temp\5772.exe |
| PID 4220 set thread context of 4536 | N/A | C:\Users\Admin\AppData\Local\Temp\5A70.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3932 set thread context of 4940 | N/A | C:\Users\Admin\AppData\Local\Temp\5772.exe | C:\Users\Admin\AppData\Local\Temp\5772.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5772.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\512B.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6AFF.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6AFF.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6AFF.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6AFF.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\5A70.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\71A7.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\5772.exe
C:\Users\Admin\AppData\Local\Temp\5772.exe
C:\Users\Admin\AppData\Local\Temp\5A70.exe
C:\Users\Admin\AppData\Local\Temp\5A70.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5DCD.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\5DCD.dll
C:\Users\Admin\AppData\Local\Temp\5F54.exe
C:\Users\Admin\AppData\Local\Temp\5F54.exe
C:\Users\Admin\AppData\Local\Temp\5772.exe
C:\Users\Admin\AppData\Local\Temp\5772.exe
C:\Users\Admin\AppData\Local\Temp\665A.exe
C:\Users\Admin\AppData\Local\Temp\665A.exe
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
C:\Users\Admin\AppData\Local\Temp\71A7.exe
C:\Users\Admin\AppData\Local\Temp\71A7.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\da80cd89-7f5c-457e-bc11-c0367a81eea9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\5772.exe
"C:\Users\Admin\AppData\Local\Temp\5772.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\5772.exe
"C:\Users\Admin\AppData\Local\Temp\5772.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4940 -ip 4940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 568
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\71A7.exe
"C:\Users\Admin\AppData\Local\Temp\71A7.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\512B.exe
C:\Users\Admin\AppData\Local\Temp\512B.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4464 -ip 4464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 976
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 37.203.224.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | rummygoplay.in | udp |
| IN | 103.251.94.112:443 | rummygoplay.in | tcp |
| US | 8.8.8.8:53 | 112.94.251.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 944830a3-3faa-47d8-836e-ec86deb3d621.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server3.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| SG | 74.125.24.127:19302 | stun2.l.google.com | udp |
| BG | 185.82.216.96:443 | server3.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.24.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
Files
memory/3120-1-0x00000000008C0000-0x00000000009C0000-memory.dmp
memory/3120-2-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3120-3-0x00000000008B0000-0x00000000008BB000-memory.dmp
memory/3108-4-0x00000000030A0000-0x00000000030B6000-memory.dmp
memory/3120-5-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5772.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\5772.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\5A70.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\5A70.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/4220-22-0x0000000000F10000-0x00000000016B8000-memory.dmp
memory/4220-23-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-24-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-25-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-26-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-27-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-29-0x00000000766A0000-0x0000000076790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5DCD.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/4220-34-0x0000000077034000-0x0000000077036000-memory.dmp
memory/4220-31-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-30-0x00000000766A0000-0x0000000076790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5F54.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
C:\Users\Admin\AppData\Local\Temp\5F54.exe
| MD5 | 7d7ad41ac102ec1f3919414e1346f983 |
| SHA1 | b920bd01839c9b9c5d07ab7925f3ed97a5761b0e |
| SHA256 | f8055ee2a24947fa6e458be038760b79865f7a4497a4c3e5a21c06be30c654c8 |
| SHA512 | 750e1b1580e4f77fa8b29b3219a3eb455294c02b8f986d7c102d92b17b0dc60698358c042c2a362a7fd37bc1f16824253795be4f0c4493694c293d0186e99008 |
C:\Users\Admin\AppData\Local\Temp\5DCD.dll
| MD5 | 000150734fbb3b73b6844c79086d2d1b |
| SHA1 | dc2e8d16b96ea4aed8c2c8576d78f31115411a96 |
| SHA256 | 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d |
| SHA512 | 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c |
memory/4292-43-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/4292-42-0x0000000000EE0000-0x0000000000EE6000-memory.dmp
memory/1436-48-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1436-50-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5772.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
C:\Users\Admin\AppData\Local\Temp\665A.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1436-55-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\665A.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4220-56-0x0000000005770000-0x0000000005D14000-memory.dmp
memory/4220-47-0x0000000000F10000-0x00000000016B8000-memory.dmp
memory/1852-46-0x0000000002580000-0x000000000269B000-memory.dmp
memory/1852-44-0x00000000024E0000-0x000000000257D000-memory.dmp
memory/1436-59-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4220-60-0x0000000005260000-0x00000000052F2000-memory.dmp
memory/4220-61-0x00000000054A0000-0x000000000553C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
| MD5 | d683bddf6815f3ae95c3e47f14427fed |
| SHA1 | a74475a8be5e7a2640e7542adb20e669df275bc4 |
| SHA256 | 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e |
| SHA512 | 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591 |
C:\Users\Admin\AppData\Local\Temp\6AFF.exe
| MD5 | d683bddf6815f3ae95c3e47f14427fed |
| SHA1 | a74475a8be5e7a2640e7542adb20e669df275bc4 |
| SHA256 | 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e |
| SHA512 | 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591 |
memory/4220-66-0x0000000005400000-0x000000000540A000-memory.dmp
memory/4292-69-0x0000000002C90000-0x0000000002D98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\71A7.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Users\Admin\AppData\Local\Temp\71A7.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/372-81-0x0000000000140000-0x00000000001AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/372-82-0x0000000000400000-0x0000000000475000-memory.dmp
memory/372-83-0x0000000000140000-0x00000000001AB000-memory.dmp
memory/4220-86-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-87-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4292-100-0x0000000002DA0000-0x0000000002E90000-memory.dmp
memory/4220-108-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4292-115-0x0000000002DA0000-0x0000000002E90000-memory.dmp
memory/4220-101-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-96-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4292-119-0x0000000002DA0000-0x0000000002E90000-memory.dmp
memory/2100-92-0x00000000005F0000-0x00000000005FC000-memory.dmp
memory/4220-91-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4220-85-0x0000000000F10000-0x00000000016B8000-memory.dmp
memory/2100-84-0x00000000005F0000-0x00000000005FC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4220-120-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4748-123-0x0000000004D70000-0x0000000005170000-memory.dmp
memory/4220-121-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4748-125-0x0000000005170000-0x0000000005A5B000-memory.dmp
memory/4748-133-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/372-134-0x0000000000140000-0x00000000001AB000-memory.dmp
memory/1436-136-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4292-135-0x0000000010000000-0x00000000101E4000-memory.dmp
memory/1492-137-0x0000000000850000-0x000000000085B000-memory.dmp
memory/4292-139-0x0000000002DA0000-0x0000000002E90000-memory.dmp
memory/1492-138-0x0000000000400000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Local\da80cd89-7f5c-457e-bc11-c0367a81eea9\5772.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/1492-140-0x0000000000960000-0x0000000000A60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5772.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/1436-143-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4220-146-0x0000000005450000-0x000000000546C000-memory.dmp
memory/4220-147-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-148-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-150-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-152-0x0000000005450000-0x0000000005465000-memory.dmp
memory/3108-155-0x0000000002EC0000-0x0000000002ED6000-memory.dmp
memory/4220-154-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-158-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-163-0x0000000005450000-0x0000000005465000-memory.dmp
memory/1492-162-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/4220-165-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-167-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4748-159-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4220-169-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-171-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-173-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4220-175-0x0000000005450000-0x0000000005465000-memory.dmp
memory/4536-176-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4536-179-0x0000000073EA0000-0x0000000074650000-memory.dmp
memory/3932-184-0x00000000023A1000-0x0000000002433000-memory.dmp
memory/4940-185-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4220-186-0x0000000005680000-0x0000000005690000-memory.dmp
memory/4940-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4220-190-0x00000000766A0000-0x0000000076790000-memory.dmp
memory/4536-189-0x00000000076B0000-0x00000000076C0000-memory.dmp
memory/4220-192-0x0000000000F10000-0x00000000016B8000-memory.dmp
memory/4536-193-0x0000000008570000-0x0000000008B88000-memory.dmp
memory/4536-194-0x0000000007700000-0x0000000007712000-memory.dmp
memory/4536-195-0x0000000007830000-0x000000000793A000-memory.dmp
memory/4940-183-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5772.exe
| MD5 | 83d5f72c8cf168c87a13a7104e2cf1f8 |
| SHA1 | bffcd4da68d49d9d749497b21650ce2600546140 |
| SHA256 | 00870faa83495f0d2954934c87546604c9003100354309af50fe1726656a29b7 |
| SHA512 | 2c1b7aaf1f9c6f69b91efb8e02fa436f78c8c1e1f5642cf36b9a16b19a215f5182c6b68b0e3d2659321402b67217ec1ba21f40c39187624157b35cfb2b5f322a |
memory/4536-196-0x0000000007760000-0x000000000779C000-memory.dmp
memory/4536-197-0x00000000077C0000-0x000000000780C000-memory.dmp
memory/4748-198-0x0000000004D70000-0x0000000005170000-memory.dmp
memory/4748-199-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4536-200-0x0000000008030000-0x0000000008096000-memory.dmp
memory/4748-201-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4536-204-0x0000000073EA0000-0x0000000074650000-memory.dmp
memory/4536-205-0x00000000076B0000-0x00000000076C0000-memory.dmp
memory/4536-206-0x0000000008F30000-0x0000000008FA6000-memory.dmp
memory/2084-207-0x0000000073EA0000-0x0000000074650000-memory.dmp
memory/2084-208-0x0000000004820000-0x0000000004830000-memory.dmp
memory/2084-209-0x0000000002590000-0x00000000025C6000-memory.dmp
memory/4748-210-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/2084-211-0x0000000004820000-0x0000000004830000-memory.dmp
memory/2084-212-0x0000000004E60000-0x0000000005488000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rqf1csyq.4t3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\jvwtgai
| MD5 | d683bddf6815f3ae95c3e47f14427fed |
| SHA1 | a74475a8be5e7a2640e7542adb20e669df275bc4 |
| SHA256 | 2969629b1aa7d6eaf2be5327c3b2af4c209169a7b60c06855ee21a3ba5870f3e |
| SHA512 | 50364c620f6365e9379ea5e7a9de3c036d8cb8cb6e120644dd4ca3a9861354cb9412ba3b19ed3ad45958cb1f165b6688f668f2359bc1bb646d392f0774d6e591 |
memory/4748-262-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71A7.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
memory/4748-269-0x0000000000400000-0x0000000002FB8000-memory.dmp
memory/4576-303-0x0000000000400000-0x0000000002FB8000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Temp\512B.exe
| MD5 | 607610e04c69c4745611af79dddf064a |
| SHA1 | bb57da232ed752ebbbc60dc888f892d5fb197b49 |
| SHA256 | 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345 |
| SHA512 | c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769 |
C:\Users\Admin\AppData\Local\Temp\512B.exe
| MD5 | 607610e04c69c4745611af79dddf064a |
| SHA1 | bb57da232ed752ebbbc60dc888f892d5fb197b49 |
| SHA256 | 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345 |
| SHA512 | c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 131cac8378197150e6787b57ea20ff72 |
| SHA1 | 11e11468d0b4b7ce154046e5064ef5571245029c |
| SHA256 | 2c6d7eac7de85070e2084f2c5e1fc561eda605f2a5e68132b4920fc76fd9c3e7 |
| SHA512 | 8d127bea8415fa9da1724627698b44cfea065f121752a2abd99af7707aa91a27f38c2719c58559e23a4648b531c6967207b8e22d85237046d0b918397eb5157f |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 607610e04c69c4745611af79dddf064a |
| SHA1 | bb57da232ed752ebbbc60dc888f892d5fb197b49 |
| SHA256 | 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345 |
| SHA512 | c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769 |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 607610e04c69c4745611af79dddf064a |
| SHA1 | bb57da232ed752ebbbc60dc888f892d5fb197b49 |
| SHA256 | 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345 |
| SHA512 | c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769 |
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
| MD5 | 607610e04c69c4745611af79dddf064a |
| SHA1 | bb57da232ed752ebbbc60dc888f892d5fb197b49 |
| SHA256 | 764fb55514fdb44d826954bb6a751aadbc065b2b96dedf244636d887758e7345 |
| SHA512 | c0f959839c0a209e4ea695a7f63ab9c2d8852e85fd0078f9054e7c619090bddf89707a3cb9e30e04da156d20a38d402ed25b74d117005263327699513f779769 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8c1834cf87fe57a2144a66d975b94f7f |
| SHA1 | 75f88e951ef85a067456647626420b76e063ce45 |
| SHA256 | b518443d3960a98558aab736fa8b0a5181f7dc643209b8807d300f2ebbb60256 |
| SHA512 | 01f1cc803ed20786376970922eefdba9261730afc169ed5d7f0419353ffe9197dc0c283ac0ce1b8ece3afb6acaa4451cc31aad8a7ec527c778b55abe40a743f3 |
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\rss\csrss.exe
| MD5 | f0118fdfcadf8262c58b3638c0edc6a9 |
| SHA1 | a10b96bfc56711c9d605a0b61cca01b4ba6b6658 |
| SHA256 | 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205 |
| SHA512 | 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1eb4344e91ec66cf94e6237f06c5b146 |
| SHA1 | 647a8f91064c07d7f16b4761687af77b8699c72b |
| SHA256 | 67802d28db89d624b7cc7f7f81180977c6e9f97d247f22a194a812922855473a |
| SHA512 | 1e7550a83074d6c8d66d97273a65f21745cb94ee20d379eacd2fb3ad30dd8dbcdcd4d176dc754bc9ac6897cf14e350a32416e0b20c3ecce5402bcd310f54bb29 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3aa47241e65252e88a61d791451c797b |
| SHA1 | fbb760aa385102ac646b2cb1431f1078d7746eb7 |
| SHA256 | 534cdca077995fcfc27b68c0c564fc5721ecabd36ca590fc914661fa649f55b3 |
| SHA512 | 8a6c814a599fe2efd9f09470fd21d1d13fb8a426fc87f1d2eb13e1ca1fa8ed85f67908695591f221560e267161b47063fc0a2607ce6c466ea322480c77b32970 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6c4d552f99a51faa19f26e08e90758dc |
| SHA1 | 2c28edb10ace66c9da8416ac1f6837637630a213 |
| SHA256 | 0d4cbd3010bebd644a4f97685685533e0ccc29105e6a90b2a18c395fb14c4f7f |
| SHA512 | de0d5617508b5649506ce3f2306be089f4f2f1b3342bac6ba43036f132f7fdd783bf0bdd5265cb8c144f0fe710d14d7c1cec729dc74235727bb38f80ad878002 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |