Malware Analysis Report

2025-01-18 05:50

Sample ID 231016-tjrqgabh62
Target 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
SHA256 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29
Tags
amadey djvu glupteba redline smokeloader vidar 13088c19c5a97b42d0d1d9573cc9f1b8 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware rootkit spyware stealer themida trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29

Threat Level: Known bad

The file 57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29 was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader vidar 13088c19c5a97b42d0d1d9573cc9f1b8 logsdiller cloud (tg: @logsdillabot) pub1 backdoor collection discovery dropper evasion infostealer loader persistence ransomware rootkit spyware stealer themida trojan upx

SmokeLoader

RedLine

Detected Djvu ransomware

Glupteba

Amadey

Vidar

Windows security bypass

Djvu Ransomware

Glupteba payload

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

Deletes itself

UPX packed file

Themida packer

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Windows security modification

Checks BIOS information in registry

Reads user/profile data of web browsers

Manipulates WinMonFS driver.

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Accesses 2FA software files, possible credential harvesting

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

outlook_win_path

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

outlook_office_path

Creates scheduled task(s)

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-16 16:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-16 16:05

Reported

2023-10-16 16:08

Platform

win10-20230915-en

Max time kernel

157s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Vidar

stealer vidar

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\92CB.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\5C74.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\5C74.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\5C74.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C74.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8107.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5956.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\92CB.exe = "0" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A

Accesses 2FA software files, possible credential harvesting

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3dc26436-174b-4832-82e6-59cd81eb5590\\5956.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\5956.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5C74.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5C74.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5F63.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8107.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8107.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8107.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control C:\Windows\system32\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8107.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5C74.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\92CB.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3236 wrote to memory of 3384 N/A N/A C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3236 wrote to memory of 3384 N/A N/A C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3236 wrote to memory of 3384 N/A N/A C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3236 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C74.exe
PID 3236 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C74.exe
PID 3236 wrote to memory of 2156 N/A N/A C:\Users\Admin\AppData\Local\Temp\5C74.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3236 wrote to memory of 5100 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe
PID 3236 wrote to memory of 5100 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe
PID 3236 wrote to memory of 5100 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3384 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Users\Admin\AppData\Local\Temp\5956.exe
PID 3236 wrote to memory of 4744 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3236 wrote to memory of 4744 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4744 wrote to memory of 4952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4744 wrote to memory of 4952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4744 wrote to memory of 4952 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 5100 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\5F63.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3236 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 3236 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 3236 wrote to memory of 3396 N/A N/A C:\Users\Admin\AppData\Local\Temp\7668.exe
PID 3236 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\8107.exe
PID 3236 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\8107.exe
PID 3236 wrote to memory of 4480 N/A N/A C:\Users\Admin\AppData\Local\Temp\8107.exe
PID 3228 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Windows\SysWOW64\icacls.exe
PID 3228 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Windows\SysWOW64\icacls.exe
PID 3228 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\5956.exe C:\Windows\SysWOW64\icacls.exe
PID 3396 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3396 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3396 wrote to memory of 4536 N/A C:\Users\Admin\AppData\Local\Temp\7668.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3236 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\92CB.exe
PID 3236 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\92CB.exe
PID 3236 wrote to memory of 4152 N/A N/A C:\Users\Admin\AppData\Local\Temp\92CB.exe
PID 3236 wrote to memory of 4376 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3236 wrote to memory of 4376 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3236 wrote to memory of 4376 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 3236 wrote to memory of 4376 N/A N/A C:\Windows\SysWOW64\explorer.exe
PID 4536 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 4536 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4536 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 3236 wrote to memory of 2884 N/A N/A C:\Windows\explorer.exe
PID 3236 wrote to memory of 2884 N/A N/A C:\Windows\explorer.exe
PID 3236 wrote to memory of 2884 N/A N/A C:\Windows\explorer.exe
PID 4580 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 4372 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2156 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\5C74.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe

"C:\Users\Admin\AppData\Local\Temp\57fef45f7320d4fb2de317c75437049769963870662222ed9d9416567cb2db29.exe"

C:\Users\Admin\AppData\Local\Temp\5956.exe

C:\Users\Admin\AppData\Local\Temp\5956.exe

C:\Users\Admin\AppData\Local\Temp\5C74.exe

C:\Users\Admin\AppData\Local\Temp\5C74.exe

C:\Users\Admin\AppData\Local\Temp\5956.exe

C:\Users\Admin\AppData\Local\Temp\5956.exe

C:\Users\Admin\AppData\Local\Temp\5F63.exe

C:\Users\Admin\AppData\Local\Temp\5F63.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\658E.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\658E.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5100 -s 140

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Users\Admin\AppData\Local\Temp\7668.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\3dc26436-174b-4832-82e6-59cd81eb5590" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\8107.exe

C:\Users\Admin\AppData\Local\Temp\8107.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\92CB.exe

C:\Users\Admin\AppData\Local\Temp\92CB.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Users\Admin\AppData\Local\Temp\5956.exe

"C:\Users\Admin\AppData\Local\Temp\5956.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\5956.exe

"C:\Users\Admin\AppData\Local\Temp\5956.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe

"C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe"

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe

"C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe"

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe

"C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe"

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe

"C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 6

C:\Users\Admin\AppData\Local\Temp\92CB.exe

"C:\Users\Admin\AppData\Local\Temp\92CB.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
RU 91.215.85.209:80 onualituyrs.org tcp
RU 91.215.85.209:443 onualituyrs.org tcp
US 8.8.8.8:53 sumagulituyo.org udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 35.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
FR 146.59.161.13:39199 tcp
US 8.8.8.8:53 13.161.59.146.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 105.134.101.95.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 31.41.244.27:41140 tcp
US 8.8.8.8:53 27.244.41.31.in-addr.arpa udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 zexeq.com udp
US 8.8.8.8:53 colisumy.com udp
MK 95.86.30.3:80 zexeq.com tcp
US 8.8.8.8:53 3.30.86.95.in-addr.arpa udp
PE 190.187.52.42:80 colisumy.com tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
MK 95.86.30.3:80 zexeq.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
DE 94.130.189.55:7070 94.130.189.55 tcp
US 8.8.8.8:53 55.189.130.94.in-addr.arpa udp
US 8.8.8.8:53 wirtshauspost.at udp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
MK 95.86.30.3:80 wirtshauspost.at tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 eb44da1d-9219-4f2f-b3a1-958e507d5c2c.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 server7.thestatsfiles.ru udp
US 8.8.8.8:53 stun.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 74.125.128.127:19302 stun.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server7.thestatsfiles.ru tcp
US 8.8.8.8:53 127.128.125.74.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.0:443 walkinglate.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp

Files

memory/2624-1-0x00000000007D0000-0x00000000008D0000-memory.dmp

memory/2624-2-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/2624-3-0x00000000023B0000-0x00000000023BB000-memory.dmp

memory/3236-4-0x00000000010E0000-0x00000000010F6000-memory.dmp

memory/2624-5-0x0000000000400000-0x00000000007CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5956.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\5956.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\Local\Temp\5C74.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

C:\Users\Admin\AppData\Local\Temp\5C74.exe

MD5 77f6f0504e40c95483da601ee1de4a4e
SHA1 628094e713d9f970b63091f6dec44f8feb6e26b2
SHA256 ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111
SHA512 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63

memory/2156-22-0x00000000011B0000-0x0000000001958000-memory.dmp

memory/2156-23-0x00000000754F0000-0x00000000756B2000-memory.dmp

memory/2156-24-0x00000000754F0000-0x00000000756B2000-memory.dmp

memory/2156-25-0x00000000754F0000-0x00000000756B2000-memory.dmp

memory/2156-27-0x0000000075380000-0x0000000075450000-memory.dmp

memory/2156-31-0x0000000075380000-0x0000000075450000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F63.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

C:\Users\Admin\AppData\Local\Temp\5956.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3228-37-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3228-40-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2156-41-0x0000000077E54000-0x0000000077E55000-memory.dmp

memory/3228-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3384-39-0x0000000000A50000-0x0000000000AE3000-memory.dmp

memory/3228-33-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2156-35-0x0000000075380000-0x0000000075450000-memory.dmp

memory/2156-29-0x00000000754F0000-0x00000000756B2000-memory.dmp

memory/3384-28-0x00000000025F0000-0x000000000270B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F63.exe

MD5 23aca9b594e0ec61e744a486c34ed0ef
SHA1 44d7b53c310732634fbf48c2f313505cdb62c6a8
SHA256 59f7cff19dc1dbd16f7cf67fec46beab356e111b64c0d968d5bcd35dee1f6f61
SHA512 dbd56536231acfe82af1ae7fabf1f25419c9f62c8e5191d6f48d5c3a1c22161fc05aa1bbc2bc0c9b9d58574109a8f7db4d6a927915d9d8cdcc7f0f3b3c58ba33

memory/2156-46-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/2156-48-0x00000000011B0000-0x0000000001958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\658E.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

\Users\Admin\AppData\Local\Temp\658E.dll

MD5 000150734fbb3b73b6844c79086d2d1b
SHA1 dc2e8d16b96ea4aed8c2c8576d78f31115411a96
SHA256 36de8117645d002eab69a4edd3013329899056e6681de76763063069dfb9075d
SHA512 540b4d96cf08acdba2a3c1339e8e33b9375274f505ac6ccc18a8c110152abe7f8c1e17685ddc4150e0865321bab1d654453e21fe83f8d1990eb4e10cbc32679c

memory/2156-51-0x0000000006110000-0x000000000660E000-memory.dmp

memory/1308-54-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4952-58-0x0000000010000000-0x00000000101E4000-memory.dmp

memory/2156-56-0x0000000005CB0000-0x0000000005D42000-memory.dmp

memory/2156-60-0x0000000005E50000-0x0000000005EEC000-memory.dmp

memory/4952-59-0x00000000006F0000-0x00000000006F6000-memory.dmp

memory/1308-63-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/2156-64-0x0000000003A40000-0x0000000003A4A000-memory.dmp

memory/1308-65-0x000000000B8B0000-0x000000000B8C0000-memory.dmp

memory/2156-66-0x00000000011B0000-0x0000000001958000-memory.dmp

memory/4952-67-0x0000000000DE0000-0x0000000000EE8000-memory.dmp

memory/4952-68-0x0000000000EF0000-0x0000000000FE0000-memory.dmp

memory/4952-69-0x0000000000EF0000-0x0000000000FE0000-memory.dmp

memory/4952-71-0x0000000000EF0000-0x0000000000FE0000-memory.dmp

memory/2156-72-0x00000000754F0000-0x00000000756B2000-memory.dmp

memory/2156-73-0x0000000075380000-0x0000000075450000-memory.dmp

memory/4952-78-0x0000000000EF0000-0x0000000000FE0000-memory.dmp

memory/2156-82-0x0000000075380000-0x0000000075450000-memory.dmp

memory/2156-83-0x0000000075380000-0x0000000075450000-memory.dmp

memory/3384-84-0x0000000000A50000-0x0000000000AE3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\7668.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3228-93-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8107.exe

MD5 2cf98433eb751eb02ebf851faf7630ef
SHA1 e0e16960d19e59a8329fd686dd6d9c4f2f1861cb
SHA256 38fb00ef64875acd1b3104369de852baf1c1c357066303e50a4d818379b1232f
SHA512 702467fafe86d28eb08059f49bd9f57f80fe4d5ca513b83039758fcfe118723c10db1d61caf8d7d54f7f243674f8aa3db0716f29219ac87d83fd1343a2c3de8b

C:\Users\Admin\AppData\Local\Temp\8107.exe

MD5 2cf98433eb751eb02ebf851faf7630ef
SHA1 e0e16960d19e59a8329fd686dd6d9c4f2f1861cb
SHA256 38fb00ef64875acd1b3104369de852baf1c1c357066303e50a4d818379b1232f
SHA512 702467fafe86d28eb08059f49bd9f57f80fe4d5ca513b83039758fcfe118723c10db1d61caf8d7d54f7f243674f8aa3db0716f29219ac87d83fd1343a2c3de8b

memory/1308-97-0x000000000C620000-0x000000000CC26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1308-100-0x000000000C010000-0x000000000C11A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\92CB.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Local\Temp\92CB.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

memory/2156-108-0x0000000005FB0000-0x0000000005FCC000-memory.dmp

memory/2156-112-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/1308-113-0x000000000B9F0000-0x000000000BA3B000-memory.dmp

memory/2156-114-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/1308-106-0x000000000B9B0000-0x000000000B9EE000-memory.dmp

memory/2156-105-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/1308-103-0x000000000B950000-0x000000000B962000-memory.dmp

memory/2156-117-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/2156-119-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/4376-121-0x0000000002B50000-0x0000000002BC5000-memory.dmp

memory/4376-123-0x0000000002AE0000-0x0000000002B4B000-memory.dmp

memory/1308-125-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/2156-127-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/4376-126-0x0000000002AE0000-0x0000000002B4B000-memory.dmp

memory/2156-131-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/1308-132-0x000000000B8B0000-0x000000000B8C0000-memory.dmp

memory/2156-122-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/4152-134-0x0000000004D50000-0x0000000005155000-memory.dmp

memory/2884-138-0x00000000012B0000-0x00000000012BC000-memory.dmp

memory/2156-137-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/2156-143-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/4152-144-0x0000000005160000-0x0000000005A4B000-memory.dmp

memory/2884-155-0x00000000012B0000-0x00000000012BC000-memory.dmp

memory/2884-159-0x0000000005160000-0x0000000005A4B000-memory.dmp

memory/2156-154-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/2156-161-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/2156-163-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

memory/2156-165-0x0000000005FB0000-0x0000000005FC5000-memory.dmp

C:\Users\Admin\AppData\Local\3dc26436-174b-4832-82e6-59cd81eb5590\5956.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/4152-167-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4480-168-0x0000000000910000-0x000000000091B000-memory.dmp

memory/4480-169-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/4480-170-0x00000000009A0000-0x0000000000AA0000-memory.dmp

memory/3272-171-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3272-175-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/2156-177-0x0000000006040000-0x0000000006050000-memory.dmp

memory/4376-176-0x0000000002AE0000-0x0000000002B4B000-memory.dmp

memory/3272-180-0x000000000BEC0000-0x000000000BED0000-memory.dmp

memory/2156-181-0x0000000075380000-0x0000000075450000-memory.dmp

memory/2156-182-0x00000000754F0000-0x00000000756B2000-memory.dmp

memory/2156-183-0x00000000011B0000-0x0000000001958000-memory.dmp

memory/2156-184-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/3228-189-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5956.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

memory/3236-192-0x0000000002EF0000-0x0000000002F06000-memory.dmp

memory/4480-193-0x0000000000400000-0x00000000007CB000-memory.dmp

memory/3272-196-0x000000000C740000-0x000000000C7A6000-memory.dmp

memory/4440-203-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4152-204-0x0000000004D50000-0x0000000005155000-memory.dmp

memory/4440-205-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2532-201-0x0000000000990000-0x0000000000A24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5956.exe

MD5 35cff29d9d8a4004b5cd02443932456e
SHA1 cc644ff8c456c53ac62c503f1219df92d70591b9
SHA256 7b78e9b3691da69866379f345c90a50e8150ecffb5cb9603a2f52fccf934884c
SHA512 0e2a4fe2b5da8c70b3a4f9e0e7195f1719a3dfe54d812115056237921d9bbe36fcbfe7e46e44f55dac0a5d0875c2ccc1d639918328bd2dcd6084f1a8f2e08d06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 370e6710fdca5fc4af41c4bfbc5c52dc
SHA1 6ddf83b64b0dbbeb57d0ae7dde8d11480b468472
SHA256 c69a501d4ee9db2bf391e936331c0933c82e7cae4e07d321ee3304e864d311b0
SHA512 79bcab0747da99ce01d521cd09d47592d1e2f907c2e1571d8486e0333f556dfe624f6832627d4903a32f28d55425ab5e32c66db60434e161b8ced699f24c0f14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 246f80d949cf1501a4fed042cee5eaec
SHA1 d8bdf961bd8bac3751f4adf44cfe1d2868f62433
SHA256 a5201f640b532758a362730f2cf3f4149490c533e9735d354fd668e681a4eb1c
SHA512 f2c9a7dbe9c9dc039a6f9c468ec36d85cb26ad725744a0731d32916a67f8ae67f77306cefacfd249b6b692e45d68620da5c708c5b85b42eb43a33357d182020c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 62bd2b45c0af4c02ce49d59aca93f5bd
SHA1 2ebe69bcfae3f70313230611bbaad550630e2439
SHA256 b28cbdb19d8a7749e0faa76e1ea67e839594e85511e8fde5668b7882418c8b36
SHA512 be6b18953de0e6918eccdef422e0ac0da940a272762d0bf74adffb78bfaf3c9b9e095fbca979e08403aa29fa8c6fc20faa403d69a1c7764bfbf11644c3e3e496

memory/4440-210-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4152-211-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4152-212-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/2884-213-0x0000000005160000-0x0000000005A4B000-memory.dmp

memory/4440-217-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4440-218-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4440-229-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4440-232-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4440-235-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h42g32hp.ohh.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4440-318-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

memory/4440-411-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

memory/4152-420-0x0000000000400000-0x0000000002FB8000-memory.dmp

memory/4568-425-0x0000000000400000-0x0000000000465000-memory.dmp

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build2.exe

MD5 8012f0388cdda7870e63a5723ff24e9b
SHA1 08ed4dc8ded91f4aa23324b7eac56a22a883005d
SHA256 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551
SHA512 f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\49cc86a2-0bdd-411b-9f71-46f939b24328\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 fdda262fd864570c443577cf5c351ab7
SHA1 f05ac15b1741dcf4f0337615a2908fa851ff2176
SHA256 22b428b8cc1171aebc27035d22151d8275db339da0729ba427e7ecca652929d8
SHA512 bc5dd99ee71ba9ca2a098cb4352f9b47a0bcb0842f918e6fa4c46b641fb1face8a507c88a90d536ebeb293fb1b2f3c1f4caa999cf4e1ac49cf5a7b97ada59117

C:\Users\Admin\AppData\Local\Temp\92CB.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Users\Admin\AppData\Roaming\gtivvfj

MD5 2cf98433eb751eb02ebf851faf7630ef
SHA1 e0e16960d19e59a8329fd686dd6d9c4f2f1861cb
SHA256 38fb00ef64875acd1b3104369de852baf1c1c357066303e50a4d818379b1232f
SHA512 702467fafe86d28eb08059f49bd9f57f80fe4d5ca513b83039758fcfe118723c10db1d61caf8d7d54f7f243674f8aa3db0716f29219ac87d83fd1343a2c3de8b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 175cb38063d188307fa3b8ba9c8fbbd7
SHA1 f7ff6cff529625d14c3528327772fbaead63e256
SHA256 f27057b90f2cd29aa2aaa0df953caf2fcf2329e9667894372c7316f432e75e30
SHA512 40b29649b4e63dcb0a27a07d6380008384dfdf019fe5da97fb053376f7a5125b3834a1ab516ab282f2f8a5630126685153c90bd11dfb5b5927e7320aaccd458e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8320860e19c562db9e5115c563be8f76
SHA1 548f7c02488277ca7fb2c6a6d15cf196f203bcdb
SHA256 b7191ed391f7ca1785e9eabb56f3860f03d591be125baffeef5232b3504385da
SHA512 409307328a48de0d20dc284cffeeadd28655f846ad15125d2cce2d1f0886c46219f74a84398918cb70a1a50c2fd8a2368a040f4c5c60a1214b03a74eaac9b931

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\rss\csrss.exe

MD5 f0118fdfcadf8262c58b3638c0edc6a9
SHA1 a10b96bfc56711c9d605a0b61cca01b4ba6b6658
SHA256 8e380777da39ad7a588f4d9b703adc18b4ba935c21b17f215a3da5792672f205
SHA512 99ac5c4de20e47e8c355e9852061cb1ef25a44a5ef20cc0dd6187d13676a1cd7dd8a44cffa9462715bff3c7c7268814afe9fffb9b664f3e2cef3595a6b148837

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e0d8ed4029c7c061dd81ca73408d73be
SHA1 951ea91fa51efb502e2e4cd4e9494c77832ce77c
SHA256 25e26e7adf4b088761c0a3379987ca6378965659afa488c283813edbd5ec4123
SHA512 8d4bdc432389a989e306fe14d1d2b39cac1e800cf18c13a52850496a9b850c3469909d89552c24e99f5d617a62a55f970a9cacad9ad3c706a553e028d16b13d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d0bc3013869643dca6ab7d98812ac93
SHA1 08fea2d9f7483e8e6fb123e7b88a102ebf29b48c
SHA256 2339b79ecfe89231d2edb9d6e3dfb421a4463e5f224ea894449654ed32ec42d6
SHA512 64f84cdb6eef5de486f070f85fc5280e6c0e25718ab7b26366bf88c6a91ac5d3852e03b333376beb39e4290019a6bb48a0d954bb84bfd3ba436fab63f8a8b592

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5c88d663a79e1b643e4e6538d47b6bdf
SHA1 11584400072c082800a933403256fc49e408cad7
SHA256 def5c7f902d50757ab736cb7f2bee561a5580460977db6d1871bda5021689c20
SHA512 17698b9236e86870b87722e46542c6faf8b1b3c7fd36313908fc735048cd1591f494c27c1beb7e809b74b4c1e84653dec8e37e9c57840b9c4641a560aa711751

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec