Malware Analysis Report

2025-01-18 06:30

Sample ID 231016-lmv83afb79
Target 670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d
SHA256 670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d

Threat Level: Known bad

The file 670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) pub1 up3 backdoor collection discovery dropper evasion infostealer loader persistence ransomware spyware themida trojan

Djvu Ransomware

RedLine

SmokeLoader

Glupteba payload

Glupteba

RedLine payload

Detected Djvu ransomware

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Checks computer location settings

Checks BIOS information in registry

Themida packer

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

outlook_win_path

Modifies data under HKEY_USERS

outlook_office_path

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 09:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 09:39

Reported

2023-10-16 09:42

Platform

win10v2004-20230915-en

Max time kernel

136s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\69A3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\69A3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\69A3.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\81B2.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6702.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ce97bcc3-16ca-4f68-85f8-03ca3db3bed1\\6702.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\6702.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\69A3.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\69A3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\879F.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\879F.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\879F.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\879F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\69A3.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\91E1.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\91E1.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 3172 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 3172 wrote to memory of 1880 N/A N/A C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 3172 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\69A3.exe
PID 3172 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\69A3.exe
PID 3172 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\69A3.exe
PID 3172 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe
PID 3172 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe
PID 3172 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 1880 wrote to memory of 1156 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Users\Admin\AppData\Local\Temp\6702.exe
PID 3172 wrote to memory of 3180 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3172 wrote to memory of 3180 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3172 wrote to memory of 4112 N/A N/A C:\Users\Admin\AppData\Local\Temp\81B2.exe
PID 3172 wrote to memory of 4112 N/A N/A C:\Users\Admin\AppData\Local\Temp\81B2.exe
PID 3172 wrote to memory of 4112 N/A N/A C:\Users\Admin\AppData\Local\Temp\81B2.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5032 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\78B7.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3172 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\Temp\879F.exe
PID 3172 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\Temp\879F.exe
PID 3172 wrote to memory of 3708 N/A N/A C:\Users\Admin\AppData\Local\Temp\879F.exe
PID 3172 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\91E1.exe
PID 3172 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\91E1.exe
PID 3172 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\91E1.exe
PID 3180 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3180 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3180 wrote to memory of 2272 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3172 wrote to memory of 4172 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 4172 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 4172 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 4172 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3172 wrote to memory of 1800 N/A N/A C:\Windows\explorer.exe
PID 3172 wrote to memory of 1800 N/A N/A C:\Windows\explorer.exe
PID 3172 wrote to memory of 1800 N/A N/A C:\Windows\explorer.exe
PID 4112 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\81B2.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4112 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\81B2.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 4112 wrote to memory of 3248 N/A C:\Users\Admin\AppData\Local\Temp\81B2.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3248 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3248 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 3248 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1156 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Windows\SysWOW64\icacls.exe
PID 1156 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\6702.exe C:\Windows\SysWOW64\icacls.exe
PID 3248 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3248 wrote to memory of 4320 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4320 wrote to memory of 828 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe

"C:\Users\Admin\AppData\Local\Temp\670fb89cbe546e0fb5a2a5ac46eb1aeabe67d82d6035356feee872e7f4b3736d.exe"

C:\Users\Admin\AppData\Local\Temp\6702.exe

C:\Users\Admin\AppData\Local\Temp\6702.exe

C:\Users\Admin\AppData\Local\Temp\69A3.exe

C:\Users\Admin\AppData\Local\Temp\69A3.exe

C:\Users\Admin\AppData\Local\Temp\78B7.exe

C:\Users\Admin\AppData\Local\Temp\78B7.exe

C:\Users\Admin\AppData\Local\Temp\6702.exe

C:\Users\Admin\AppData\Local\Temp\6702.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7CA0.dll

C:\Users\Admin\AppData\Local\Temp\81B2.exe

C:\Users\Admin\AppData\Local\Temp\81B2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\879F.exe

C:\Users\Admin\AppData\Local\Temp\879F.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7CA0.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5032 -ip 5032

C:\Users\Admin\AppData\Local\Temp\91E1.exe

C:\Users\Admin\AppData\Local\Temp\91E1.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 148

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ce97bcc3-16ca-4f68-85f8-03ca3db3bed1" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\6702.exe

"C:\Users\Admin\AppData\Local\Temp\6702.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\6702.exe

"C:\Users\Admin\AppData\Local\Temp\6702.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3304 -ip 3304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 568

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

"C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\91E1.exe

"C:\Users\Admin\AppData\Local\Temp\91E1.exe"

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml"

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 57.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 galandskiyher5.com udp
NL 194.169.175.127:80 galandskiyher5.com tcp
US 95.214.27.254:80 95.214.27.254 tcp
US 8.8.8.8:53 127.175.169.194.in-addr.arpa udp
US 8.8.8.8:53 parrotnight.com udp
US 188.114.97.0:443 parrotnight.com tcp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 254.27.214.95.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
US 8.8.8.8:53 unclejohny.com udp
US 104.21.56.176:443 unclejohny.com tcp
US 8.8.8.8:53 176.56.21.104.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
KR 211.104.254.139:80 wirtshauspost.at tcp
US 8.8.8.8:53 139.254.104.211.in-addr.arpa udp
KR 211.104.254.139:80 wirtshauspost.at tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
RU 31.41.244.27:41140 tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
KR 211.104.254.139:80 wirtshauspost.at tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
KR 211.104.254.139:80 wirtshauspost.at tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
KR 211.104.254.139:80 wirtshauspost.at tcp
US 8.8.8.8:53 host-file-host6.com udp
US 8.8.8.8:53 host-host-file8.com udp
NL 194.169.175.127:80 host-host-file8.com tcp
US 8.8.8.8:53 ca10cc72-bab6-415e-9cc7-2231c1572cc9.uuid.thestatsfiles.ru udp

Files

memory/1540-1-0x00000000007E0000-0x00000000008E0000-memory.dmp

memory/1540-2-0x0000000000990000-0x000000000099B000-memory.dmp

memory/1540-3-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1540-4-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/3172-5-0x0000000002EE0000-0x0000000002EF6000-memory.dmp

memory/1540-6-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/1540-9-0x0000000000990000-0x000000000099B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6702.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\6702.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/1880-22-0x0000000002460000-0x00000000024FA000-memory.dmp

memory/1880-23-0x0000000002500000-0x000000000261B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\69A3.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

C:\Users\Admin\AppData\Local\Temp\69A3.exe

MD5 df26dcbc3c8289a50c8c1857a0640366
SHA1 298582ef0a1c2773c973d761e0a7f93db74b9397
SHA256 a238e7725be8efddc097f716169100e2043953e76ac26976a4ec4ea2c5fa365d
SHA512 de3c637d2f4aed4c2f546fde1b88ba7120ef00ebde04ea52a4a3ce5ccc88f664c6445edc6fbe2ce646473fb9743cebc812f7ec343333ac59f7d93b0a1b363a6c

memory/1684-27-0x00000000008B0000-0x0000000001030000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78B7.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\6702.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/1156-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1156-31-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78B7.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/1156-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1684-38-0x00000000766D0000-0x00000000767C0000-memory.dmp

memory/1684-41-0x00000000766D0000-0x00000000767C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81B2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1684-45-0x00000000766D0000-0x00000000767C0000-memory.dmp

memory/1684-46-0x00000000766D0000-0x00000000767C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81B2.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1684-42-0x00000000766D0000-0x00000000767C0000-memory.dmp

memory/1684-47-0x0000000077854000-0x0000000077856000-memory.dmp

memory/2040-48-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\879F.exe

MD5 1f96894c9b596b9603460fd60992772e
SHA1 30cdfba83858730581a465fd05d8a25920c501b8
SHA256 42bfa4d580a2f35e99fd000efce3cb606682e080c570cba47938a3e51092194a
SHA512 8f75f5d50c399bfac90e2075330e12c9149a2495ea8c810042932f0e91c6be7d17abe880f0faf0ea4a163f280125ff236b5350bd6df55f4b149134e6c0a1302e

C:\Users\Admin\AppData\Local\Temp\879F.exe

MD5 1f96894c9b596b9603460fd60992772e
SHA1 30cdfba83858730581a465fd05d8a25920c501b8
SHA256 42bfa4d580a2f35e99fd000efce3cb606682e080c570cba47938a3e51092194a
SHA512 8f75f5d50c399bfac90e2075330e12c9149a2495ea8c810042932f0e91c6be7d17abe880f0faf0ea4a163f280125ff236b5350bd6df55f4b149134e6c0a1302e

memory/1684-55-0x00000000008B0000-0x0000000001030000-memory.dmp

memory/1156-59-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3708-62-0x0000000000850000-0x000000000085B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7CA0.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3708-63-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/3708-64-0x0000000000890000-0x0000000000990000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91E1.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1684-69-0x00000000766D0000-0x00000000767C0000-memory.dmp

memory/1684-70-0x00000000766D0000-0x00000000767C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\91E1.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/1800-72-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

memory/1800-73-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7CA0.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/3172-75-0x0000000003130000-0x0000000003146000-memory.dmp

memory/3708-76-0x0000000000400000-0x00000000007CC000-memory.dmp

memory/4172-79-0x0000000000140000-0x00000000001AB000-memory.dmp

memory/2040-80-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/1684-81-0x00000000008B0000-0x0000000001030000-memory.dmp

memory/3140-84-0x00000000051A0000-0x0000000005A8B000-memory.dmp

memory/2272-86-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/2040-85-0x0000000007D90000-0x0000000008334000-memory.dmp

memory/2040-91-0x0000000007890000-0x0000000007922000-memory.dmp

memory/3140-92-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/3140-93-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1684-95-0x00000000766D0000-0x00000000767C0000-memory.dmp

memory/1684-96-0x00000000766D0000-0x00000000767C0000-memory.dmp

memory/4172-97-0x0000000000400000-0x0000000000480000-memory.dmp

memory/4172-98-0x0000000000140000-0x00000000001AB000-memory.dmp

memory/3140-100-0x0000000004D90000-0x0000000005193000-memory.dmp

memory/2272-107-0x0000000001080000-0x0000000001086000-memory.dmp

memory/1684-99-0x0000000005B00000-0x0000000005B9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2272-123-0x0000000002CC0000-0x0000000002DC8000-memory.dmp

memory/1684-124-0x00000000766D0000-0x00000000767C0000-memory.dmp

memory/2272-127-0x0000000002DD0000-0x0000000002EC0000-memory.dmp

memory/2272-128-0x0000000002DD0000-0x0000000002EC0000-memory.dmp

memory/2272-131-0x0000000002DD0000-0x0000000002EC0000-memory.dmp

memory/2040-134-0x0000000007A70000-0x0000000007A80000-memory.dmp

memory/1684-132-0x00000000766D0000-0x00000000767C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2272-137-0x0000000002DD0000-0x0000000002EC0000-memory.dmp

memory/4172-144-0x0000000000140000-0x00000000001AB000-memory.dmp

memory/2040-146-0x0000000007A90000-0x0000000007A9A000-memory.dmp

memory/1156-147-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ce97bcc3-16ca-4f68-85f8-03ca3db3bed1\6702.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\6702.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/1156-149-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2040-152-0x0000000008960000-0x0000000008F78000-memory.dmp

memory/2040-154-0x0000000008340000-0x000000000844A000-memory.dmp

memory/2040-155-0x0000000007B60000-0x0000000007B72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 3c05ec5bc8f3d3b9e96fa6ddddba75da
SHA1 0ff0f26c8a8e78e28ffa254392af04a7537a0667
SHA256 4c04075ed2a8a41b568c8d50cba42851544eb7e6e2c1700aa0994b13fba94759
SHA512 96a58c3802f2142da8f2d903969bb6a0c670935d18a1879e2b58404d37983f23d5149a8f0e7aee3a4bb9ed5a95e7cf618194fae108de319025e206c95055d1c0

memory/3140-153-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2040-165-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/3304-168-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6702.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/824-171-0x0000000000A78000-0x0000000000B0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 3c05ec5bc8f3d3b9e96fa6ddddba75da
SHA1 0ff0f26c8a8e78e28ffa254392af04a7537a0667
SHA256 4c04075ed2a8a41b568c8d50cba42851544eb7e6e2c1700aa0994b13fba94759
SHA512 96a58c3802f2142da8f2d903969bb6a0c670935d18a1879e2b58404d37983f23d5149a8f0e7aee3a4bb9ed5a95e7cf618194fae108de319025e206c95055d1c0

memory/3304-178-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 3c05ec5bc8f3d3b9e96fa6ddddba75da
SHA1 0ff0f26c8a8e78e28ffa254392af04a7537a0667
SHA256 4c04075ed2a8a41b568c8d50cba42851544eb7e6e2c1700aa0994b13fba94759
SHA512 96a58c3802f2142da8f2d903969bb6a0c670935d18a1879e2b58404d37983f23d5149a8f0e7aee3a4bb9ed5a95e7cf618194fae108de319025e206c95055d1c0

memory/3140-185-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2040-184-0x0000000007C30000-0x0000000007C7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000397001\taskhost.exe

MD5 62962daa1b19bbcc2db10b7bfd531ea6
SHA1 d64bae91091eda6a7532ebec06aa70893b79e1f8
SHA256 80c3fe2ae1062abf56456f52518bd670f9ec3917b7f85e152b347ac6b6faf880
SHA512 9002a0475fdb38541e78048709006926655c726e93e823b84e2dbf5b53fd539a5342e7266447d23db0e5528e27a19961b115b180c94f2272ff124c7e5c8304e7

memory/2040-173-0x0000000007BC0000-0x0000000007BFC000-memory.dmp

memory/3140-187-0x0000000004D90000-0x0000000005193000-memory.dmp

memory/3304-172-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 3b04bffea95fc3e82d3b22987cb0c601
SHA1 65439af7f7183a8d962221c2b426a557e55debe9
SHA256 25c4392ff24183e74d458e3d6cda391c5616e05bd4d8e578183ad9d3c02e0476
SHA512 18269d67bad3cf368ca28b62fbcb53caee0c89e1d1fc84b59de2fb4792789a822df1f3f46fc527ce5c0d0233be484f5f7738a438ac5a903f2a65632ccb541b1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 639acdaace58c43d0f7bd1e39500f3e9
SHA1 5cbd8726f735229378f02c46f21a999f97ecadcd
SHA256 f656a4d01e8098ee56f6ea78e9946b617e1da0958eb882898efb5dc42759aad0
SHA512 7cf8ec1c20a0ca4ac806968170516e1aaabdfb2c5b31cb42405911592283ef18108b404cde5e1d9205b66d27aaf535464923b4486086d7570078d9eb86665bde

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a27d500ae90c9efd6449a05578bb1290
SHA1 51097673ed0e051c46165bd9f45360a978caa132
SHA256 384530fbd662d71d5830911057684e89363364419f7a8e6c5e3382dbf2dbd743
SHA512 5d451f5f0bebf0f470bc61f0712156292abe4aac87335a620abf2cd99318c8bebd27a508443489e56dfff7e0125260e973c8eb3ffd18386d3db7d61e6f9b42fb

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/2040-208-0x0000000007A70000-0x0000000007A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

memory/3372-217-0x0000000000850000-0x0000000000859000-memory.dmp

memory/3372-214-0x0000000000910000-0x0000000000A10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000114001\toolspub2.exe

MD5 3c05ec5bc8f3d3b9e96fa6ddddba75da
SHA1 0ff0f26c8a8e78e28ffa254392af04a7537a0667
SHA256 4c04075ed2a8a41b568c8d50cba42851544eb7e6e2c1700aa0994b13fba94759
SHA512 96a58c3802f2142da8f2d903969bb6a0c670935d18a1879e2b58404d37983f23d5149a8f0e7aee3a4bb9ed5a95e7cf618194fae108de319025e206c95055d1c0

memory/4124-231-0x0000000000400000-0x0000000000409000-memory.dmp

memory/4124-229-0x0000000000400000-0x0000000000409000-memory.dmp

C:\Users\Admin\AppData\Roaming\avfhfji

MD5 1f96894c9b596b9603460fd60992772e
SHA1 30cdfba83858730581a465fd05d8a25920c501b8
SHA256 42bfa4d580a2f35e99fd000efce3cb606682e080c570cba47938a3e51092194a
SHA512 8f75f5d50c399bfac90e2075330e12c9149a2495ea8c810042932f0e91c6be7d17abe880f0faf0ea4a163f280125ff236b5350bd6df55f4b149134e6c0a1302e

memory/116-235-0x0000000004CA0000-0x000000000509F000-memory.dmp

memory/116-236-0x00000000050A0000-0x000000000598B000-memory.dmp

memory/116-237-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/3140-238-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4124-265-0x0000000000400000-0x0000000000409000-memory.dmp

memory/3172-264-0x0000000002D60000-0x0000000002D76000-memory.dmp

memory/116-271-0x0000000000400000-0x0000000002FB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

memory/1684-276-0x0000000005ED0000-0x0000000005EEC000-memory.dmp

memory/2040-277-0x00000000085D0000-0x0000000008636000-memory.dmp

memory/1684-278-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/1684-279-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/1684-282-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/1684-284-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/1684-286-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/3140-280-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/1684-289-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/116-288-0x0000000004CA0000-0x000000000509F000-memory.dmp

memory/4072-292-0x0000000002810000-0x0000000002846000-memory.dmp

memory/1684-291-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4072-295-0x0000000004FB0000-0x00000000055D8000-memory.dmp

memory/1684-294-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4072-296-0x00000000746C0000-0x0000000074E70000-memory.dmp

memory/4072-298-0x0000000002850000-0x0000000002860000-memory.dmp

memory/1684-299-0x0000000005ED0000-0x0000000005EE5000-memory.dmp

memory/4192-301-0x00000000746C0000-0x0000000074E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_maunddej.p4y.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 a6ea7bfcd3aac150c0caef765cb52281
SHA1 037dc22c46a0eb0b9ad4c74088129e387cffe96b
SHA256 f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9
SHA512 c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

C:\Users\Admin\AppData\Local\Temp\1000115001\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 8627c70b06ccae7c64acdd10a0d5d0ae
SHA1 fd87db535189654374d269e59ff1dd62020e4464
SHA256 a000684c9fcd2d5a528161a3513f726b2307fa6b50788a568fec0930b452d59e
SHA512 a4ba244cc35acd7be1a75239d0d6e148a0fd46d8fb09d650ccffc00c4e5f891b0810a316b28f08f1f2a19b2fdcb9097bcba5a6fe04c39a7d83e4dcf194dfdd99

C:\Users\Admin\AppData\Local\Temp\91E1.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 c671d50d589ce7be9ad3ff4035e6ad63
SHA1 88cdc154077c8264149cb8b19e16ba07901e1dd6
SHA256 fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568
SHA512 a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56b3c10eb760a0043220e8f500761a0c
SHA1 52cb1c838cbc8fed002d9489108cee17273a462f
SHA256 18ff037776990067ea2056a80098896d36105de84fd0ae6c11ef9980bccced4b
SHA512 5533197fe170572975d460940b15895598edc9f2d94085fd4c3e793caa232505c250d6bd7c756b9053154a0b071f520625181e5747324ab504fbb5346a450eb9

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 56b3c10eb760a0043220e8f500761a0c
SHA1 52cb1c838cbc8fed002d9489108cee17273a462f
SHA256 18ff037776990067ea2056a80098896d36105de84fd0ae6c11ef9980bccced4b
SHA512 5533197fe170572975d460940b15895598edc9f2d94085fd4c3e793caa232505c250d6bd7c756b9053154a0b071f520625181e5747324ab504fbb5346a450eb9

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 99305fb56b7abc7e1e1c1cb18a7fe5be
SHA1 c7e278faf88d45f109c01ca1d9825ba378d12017
SHA256 c20ca3d441dde288ed4f94fa6fe0ce5046acd95abd2a90701b3141a66dfa2ac7
SHA512 5f990579266ee1611ab08955472f76e6dbd2e6713f8d67fda7df413605b7014c133ba0ef4918bd90edf00b9a48fb3c32fd41e1983f0d141aa73ff0ccd3f417b9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 99305fb56b7abc7e1e1c1cb18a7fe5be
SHA1 c7e278faf88d45f109c01ca1d9825ba378d12017
SHA256 c20ca3d441dde288ed4f94fa6fe0ce5046acd95abd2a90701b3141a66dfa2ac7
SHA512 5f990579266ee1611ab08955472f76e6dbd2e6713f8d67fda7df413605b7014c133ba0ef4918bd90edf00b9a48fb3c32fd41e1983f0d141aa73ff0ccd3f417b9

C:\Windows\System32\drivers\etc\hosts

MD5 afdbe8b5c48f7db75270c64a3b48611c
SHA1 cddb22e3a394aafddad3761ef84b00ce51d43184
SHA256 5f8432d0251b18591d359c36ef56064dac54369d1e33cd5c2e80f426e6561cd5
SHA512 cea0fb172576abb6378bf9c95054eb1066a612ec6ed698a8dd0d49e5d1364642ef6699051b61dbce3ab98f1596fdbe10ec0ede32e2486ea292499c6f9f97fb89

C:\Users\Admin\AppData\Local\Temp\grrhfnlxagtw.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2a58f4a8b3123fd9d8aaac7a3491f14d
SHA1 574980f9be927d084260423a6a8cec3e11f2c2c8
SHA256 b46cbdf636827eebd77279d644cf4cea2b4cc7f0f2483ab2cbc3d7fc56e1152f
SHA512 de6629b94f99987da687f099c9baa3e61bec49b195dc56f6ff3707754a845ff84c790cb22391570d2ad2ec977afcecd18f177e624af04b1ecd187562c1a1c441

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Program Files\Google\Chrome\updater.exe

MD5 0c5f3483a23c84f846ea7953c4bdd390
SHA1 fa9d08eb946292f9e9578de5cac7d9ddad8eb49d
SHA256 2dc47f48d34658df21546fc76a6983bd957423c01b22749ccd168b732ca0a42d
SHA512 4a76a1cf27d8797ef84fb0dabc207b433fb9533f80d51d7c6f3b4e3e77d225fb79d47aee003a678df22c19dac8ef3ed34ee5cf82225fe262c466f9c5e5481b7f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2a58f4a8b3123fd9d8aaac7a3491f14d
SHA1 574980f9be927d084260423a6a8cec3e11f2c2c8
SHA256 b46cbdf636827eebd77279d644cf4cea2b4cc7f0f2483ab2cbc3d7fc56e1152f
SHA512 de6629b94f99987da687f099c9baa3e61bec49b195dc56f6ff3707754a845ff84c790cb22391570d2ad2ec977afcecd18f177e624af04b1ecd187562c1a1c441

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 30f25cf1353663d6a7a6ad36a3b36be4
SHA1 1b2d547fae7b49c2fee87c9e86e1bbf88c1a6c69
SHA256 ef127a69e2b6a6f3b241629e70871c9a9e7684be33cbe5fd5ae7f6b7ce91ae30
SHA512 8c51f9dfd3d2ec9428b28db21303cfa55af2199ead56d1660c21919e9f80644d8bb768986f8a43f857ae2d8c4afe71fd10e1900fa14463e58de22333087a80ce

C:\Users\Admin\AppData\Local\Temp\1000116001\latestX.exe

MD5 bae29e49e8190bfbbf0d77ffab8de59d
SHA1 4a6352bb47c7e1666a60c76f9b17ca4707872bd9
SHA256 f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87
SHA512 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 75ed2716edf6fa27a5581464ea8e9567
SHA1 92928b260810c656e4427eda0c9c40183696240d
SHA256 90276f4214a83c9783d7c539511e50911d006eca3a6ef075585058af2b32c1ba
SHA512 0bb70e29fa32d9870e095f635692164ef311dfc4b15295cb0b48bb5498ddda61cd26b13f7c2544f4cbe5b975ff1ee596215e986e37cd1174b2c6d896d323fe9b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a167a47186ce383029a6b3c2d3b4c25c
SHA1 1edf34d6e8de4ea62346b50b65315ee71a804787
SHA256 f0647c3a01a095ae2d9be35b655bf990eb82cbce51e3c63d7204587e065e8e21
SHA512 c396fd94156495dd8df298859ff41b9aaa34e7c3ff27ff45a1be9c396ce031010440af48f185c224034ad5e996589d29cb0fa0dd6de5cf86100984765a44828b