Analysis Overview
SHA256
c5d36d14ec04f6a568172a2a91959b17dc768c41dc6bc9486d975d41056ac7b0
Threat Level: Known bad
The file Archive.7z was found to be: Known bad.
Malicious Activity Summary
DcRat
Amadey
Djvu Ransomware
RedLine
Detected Djvu ransomware
RedLine payload
PrivateLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
SmokeLoader
Modifies Windows Defender Real-time Protection settings
RisePro
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Renames multiple (169) files with added filename extension
Finds standalone samples of Amadey based on characteristic strings
Stops running service(s)
Downloads MZ/PE file
VMProtect packed file
Loads dropped DLL
Drops startup file
Reads user/profile data of web browsers
Windows security modification
.NET Reactor proctector
Executes dropped EXE
Reads user/profile data of local email clients
Themida packer
Checks BIOS information in registry
Modifies file permissions
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Drops Chrome extension
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: CmdExeWriteProcessMemorySpam
outlook_office_path
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious behavior: LoadsDriver
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: MapViewOfSection
outlook_win_path
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Uses Task Scheduler COM API
Modifies Internet Explorer settings
Suspicious use of UnmapMainImage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 06:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 06:58
Reported
2023-10-17 07:28
Platform
win7-20230831-en
Max time kernel
887s
Max time network
1060s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" | C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a32e694-ce15-4166-b5d5-39601b8b4741\\_Axw7GGd2Fy7GTHeEDtFtPCq.exe\" --AutoStart" | C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe | N/A |
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1056 created 1280 | N/A | C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe | C:\Windows\Explorer.EXE |
| PID 1056 created 1280 | N/A | C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe | C:\Windows\Explorer.EXE |
| PID 1056 created 1280 | N/A | C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe | C:\Windows\Explorer.EXE |
Finds standalone samples of Amadey based on characteristic strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk | C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" | C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\6a32e694-ce15-4166-b5d5-39601b8b4741\\_Axw7GGd2Fy7GTHeEDtFtPCq.exe\" --AutoStart" | C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe | N/A |
Checks installed software on the system
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgmhkjfpialldbnnihoodfehhlmpplgf\1.5.6_0\manifest.json | C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api64.ipify.org | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{64E60BC1-6CBE-11EE-AF5C-C6D3BD361474} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{652FBEF1-6CBE-11EE-AF5C-C6D3BD361474} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{654801E1-6CBE-11EE-AF5C-C6D3BD361474} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4\Blob = 0f0000000100000020000000ffda0203811f8b2cca225df80e814442949df70618555e614bb267a89cc9e71b030000000100000014000000785b0cd2bddee7cba2c272ac3ec9dcbc8835c3c42000000001000000f9020000308202f5308201dda003020102021028cac2390d446838dc905f237a8b07ad300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383139303030305a170d3238303932363139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc57e9b9584988333103e4819b955a2ef7494ac3af4912d07d59b529387c748691bb827c637ff9950773840ee2728a7a8987c127952251ac749c97a683710b536aa845d6f6cf82384efcd239ae294ca0dc6e54de02af89d408562d41c95fdf24f60033856f5d8312254243f80618eb55ae31612f8a4e9d61acfeb3476316afe4ce20a3629d3ef8fdf8c01c66eca11f1e36b9d5fbebfaa1d07068367e1138249b220779db32ab6b2959517493bd5c7a0f2f94eb1f3e170ef2df4d2aea496d49c12b272df7f10419a9b8c9522553134b3d8ca0b5a2e5366d3c40bdd85d56425329ab85694a7e04e4e8a413d8bc44009e90011c45b8cdc380dcdd55885e13ff3ec10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604143c14b0c4f79ee701ce7a068006a734b505c19e88300d06092a864886f70d01010b0500038201010015e6471828cc1ad1330221f32e5d6d2f9e51edb41cb38e1f9a52d26af2a229342cd18b8a3f23e7c26a546276ffd1d09ae010447dc52d62a7e3f879b2f8e1b9df10c5695b7e4c47172142f599df8ae70ef357d1b1e9eba9d385a1f5eae798b035e0e8fbd753c9c43e3c232e935f4de301f46a2b1aece9eca64686b46ea7e69f8e538e0a5e5b759e4c9eafdae6ba2f57aa66eff15b28323e30e67cfd145c60c2940bd927247dc5a5c09954901f8215cb530909fc8c4c60b03daae8e23d62dcd80beae9eaf18dea862c7d000b86eda4dc7b2197aa53bdc96c0c37f5c90e1b07d343cc468887683123d95a054e1174ea018a61d88865d66c833702722508d7d5a02d | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4\Blob = 190000000100000010000000aad8adf39bae31f746c3facd72799f830f0000000100000020000000ffda0203811f8b2cca225df80e814442949df70618555e614bb267a89cc9e71b030000000100000014000000785b0cd2bddee7cba2c272ac3ec9dcbc8835c3c41400000001000000140000003c14b0c4f79ee701ce7a068006a734b505c19e882000000001000000f9020000308202f5308201dda003020102021028cac2390d446838dc905f237a8b07ad300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383139303030305a170d3238303932363139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc57e9b9584988333103e4819b955a2ef7494ac3af4912d07d59b529387c748691bb827c637ff9950773840ee2728a7a8987c127952251ac749c97a683710b536aa845d6f6cf82384efcd239ae294ca0dc6e54de02af89d408562d41c95fdf24f60033856f5d8312254243f80618eb55ae31612f8a4e9d61acfeb3476316afe4ce20a3629d3ef8fdf8c01c66eca11f1e36b9d5fbebfaa1d07068367e1138249b220779db32ab6b2959517493bd5c7a0f2f94eb1f3e170ef2df4d2aea496d49c12b272df7f10419a9b8c9522553134b3d8ca0b5a2e5366d3c40bdd85d56425329ab85694a7e04e4e8a413d8bc44009e90011c45b8cdc380dcdd55885e13ff3ec10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604143c14b0c4f79ee701ce7a068006a734b505c19e88300d06092a864886f70d01010b0500038201010015e6471828cc1ad1330221f32e5d6d2f9e51edb41cb38e1f9a52d26af2a229342cd18b8a3f23e7c26a546276ffd1d09ae010447dc52d62a7e3f879b2f8e1b9df10c5695b7e4c47172142f599df8ae70ef357d1b1e9eba9d385a1f5eae798b035e0e8fbd753c9c43e3c232e935f4de301f46a2b1aece9eca64686b46ea7e69f8e538e0a5e5b759e4c9eafdae6ba2f57aa66eff15b28323e30e67cfd145c60c2940bd927247dc5a5c09954901f8215cb530909fc8c4c60b03daae8e23d62dcd80beae9eaf18dea862c7d000b86eda4dc7b2197aa53bdc96c0c37f5c90e1b07d343cc468887683123d95a054e1174ea018a61d88865d66c833702722508d7d5a02d | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4 | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\785B0CD2BDDEE7CBA2C272AC3EC9DCBC8835C3C4\Blob = 1400000001000000140000003c14b0c4f79ee701ce7a068006a734b505c19e88030000000100000014000000785b0cd2bddee7cba2c272ac3ec9dcbc8835c3c40f0000000100000020000000ffda0203811f8b2cca225df80e814442949df70618555e614bb267a89cc9e71b2000000001000000f9020000308202f5308201dda003020102021028cac2390d446838dc905f237a8b07ad300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3233303932383139303030305a170d3238303932363139303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100bc57e9b9584988333103e4819b955a2ef7494ac3af4912d07d59b529387c748691bb827c637ff9950773840ee2728a7a8987c127952251ac749c97a683710b536aa845d6f6cf82384efcd239ae294ca0dc6e54de02af89d408562d41c95fdf24f60033856f5d8312254243f80618eb55ae31612f8a4e9d61acfeb3476316afe4ce20a3629d3ef8fdf8c01c66eca11f1e36b9d5fbebfaa1d07068367e1138249b220779db32ab6b2959517493bd5c7a0f2f94eb1f3e170ef2df4d2aea496d49c12b272df7f10419a9b8c9522553134b3d8ca0b5a2e5366d3c40bdd85d56425329ab85694a7e04e4e8a413d8bc44009e90011c45b8cdc380dcdd55885e13ff3ec10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e041604143c14b0c4f79ee701ce7a068006a734b505c19e88300d06092a864886f70d01010b0500038201010015e6471828cc1ad1330221f32e5d6d2f9e51edb41cb38e1f9a52d26af2a229342cd18b8a3f23e7c26a546276ffd1d09ae010447dc52d62a7e3f879b2f8e1b9df10c5695b7e4c47172142f599df8ae70ef357d1b1e9eba9d385a1f5eae798b035e0e8fbd753c9c43e3c232e935f4de301f46a2b1aece9eca64686b46ea7e69f8e538e0a5e5b759e4c9eafdae6ba2f57aa66eff15b28323e30e67cfd145c60c2940bd927247dc5a5c09954901f8215cb530909fc8c4c60b03daae8e23d62dcd80beae9eaf18dea862c7d000b86eda4dc7b2197aa53bdc96c0c37f5c90e1b07d343cc468887683123d95a054e1174ea018a61d88865d66c833702722508d7d5a02d | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
"C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe"
C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
"C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe"
C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
"C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe"
C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
"C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe"
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe"
C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
"C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe"
C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
"C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe"
C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
"C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe"
C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe
"C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe"
C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
"C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe"
C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
"C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe"
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\6a32e694-ce15-4166-b5d5-39601b8b4741" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef64d9758,0x7fef64d9768,0x7fef64d9778
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 268
C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe
"C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2752 -s 268
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778
C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe
"C:\Users\Admin\Pictures\Minor Policy\05i4TLYHZEFYjn7jxbwobpPC.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef71e9758,0x7fef71e9768,0x7fef71e9778
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BAA8.tmp\C469.tmp\C46A.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe"
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
"C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/login
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1940 CREDAT:340993 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2396 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1564 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1344 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1304,i,3376028010438598253,6082975748191350444,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1304,i,3376028010438598253,6082975748191350444,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1392 --field-trial-handle=1324,i,6085867165921108108,2268449169252094913,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1324,i,6085867165921108108,2268449169252094913,131072 /prefetch:2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2164 --field-trial-handle=1544,i,6952577532179320664,14724362541559117473,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x12c,0x130,0x134,0x100,0x138,0x7fef64d9758,0x7fef64d9768,0x7fef64d9778
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1112 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2180 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:1
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kfbfjf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Users\Admin\AppData\Local\Temp\C8F.exe
C:\Users\Admin\AppData\Local\Temp\C8F.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2192 --field-trial-handle=1276,i,12268181623787709422,12722034785618796058,131072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\9C7F.exe
C:\Users\Admin\AppData\Local\Temp\9C7F.exe
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\AF83.bat" "
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LZ2mp1sb.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LZ2mp1sb.exe
C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\BEFF.exe
C:\Users\Admin\AppData\Local\Temp\BEFF.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\12D.exe
C:\Users\Admin\AppData\Local\Temp\12D.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb8xx3DB.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Vb8xx3DB.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 196
Network
| Country | Destination | Domain | Proto |
| US | 208.67.104.60:80 | 208.67.104.60 | tcp |
| NL | 94.142.138.113:80 | 94.142.138.113 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 94.142.138.113:80 | 94.142.138.113 | tcp |
| US | 8.8.8.8:53 | vk.com | udp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| NL | 94.142.138.113:80 | 94.142.138.113 | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | jackantonio.top | udp |
| BG | 171.22.28.226:80 | 171.22.28.226 | tcp |
| NL | 185.225.74.144:80 | 185.225.74.144 | tcp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| DE | 45.132.1.20:80 | jackantonio.top | tcp |
| DE | 45.132.1.20:80 | jackantonio.top | tcp |
| NL | 185.225.74.144:80 | 185.225.74.144 | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun9-17.userapi.com | udp |
| RU | 93.186.227.128:443 | sun9-17.userapi.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun9-66.userapi.com | udp |
| RU | 87.240.185.165:443 | sun9-66.userapi.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun9-77.userapi.com | udp |
| RU | 87.240.169.0:443 | sun9-77.userapi.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun9-10.userapi.com | udp |
| RU | 87.240.185.137:443 | sun9-10.userapi.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| US | 8.8.8.8:53 | sun9-1.userapi.com | udp |
| RU | 87.240.185.128:443 | sun9-1.userapi.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| US | 8.8.8.8:53 | sun9-48.userapi.com | udp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| RU | 87.240.185.151:443 | sun9-48.userapi.com | tcp |
| RU | 87.240.132.72:80 | vk.com | tcp |
| RU | 87.240.132.72:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-23.userapi.com | udp |
| RU | 95.142.206.3:443 | sun6-23.userapi.com | tcp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| NL | 94.142.138.113:80 | 94.142.138.113 | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| DE | 148.251.234.93:443 | iplis.ru | tcp |
| DE | 148.251.234.93:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| NL | 194.169.175.128:50505 | tcp | |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| NL | 194.169.175.128:50500 | tcp | |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | vk.com | udp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | api64.ipify.org | udp |
| US | 64.185.227.155:443 | api64.ipify.org | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 64.185.227.155:443 | api64.ipify.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | yandex.ru | udp |
| RU | 77.88.55.88:443 | yandex.ru | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| US | 104.18.146.235:80 | www.maxmind.com | tcp |
| US | 104.18.146.235:443 | www.maxmind.com | tcp |
| US | 104.18.146.235:443 | www.maxmind.com | tcp |
| US | 104.18.146.235:443 | www.maxmind.com | tcp |
| US | 104.18.146.235:443 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | elijahdiego.top | udp |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| US | 8.8.8.8:53 | dzen.ru | udp |
| RU | 62.217.160.2:443 | dzen.ru | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| BG | 171.22.28.226:80 | 171.22.28.226 | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BG | 171.22.28.226:80 | 171.22.28.226 | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 185.225.75.171:22233 | tcp | |
| GB | 145.239.200.147:30225 | tcp | |
| NL | 194.169.175.232:45451 | tcp | |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| RU | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| NL | 194.169.175.127:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | foxandcatbet.org | udp |
| US | 172.67.142.109:443 | foxandcatbet.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | rangeroverfan.org | udp |
| US | 188.114.97.0:443 | rangeroverfan.org | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | crls.pki.goog | udp |
| NL | 142.251.36.35:80 | crls.pki.goog | tcp |
| NL | 142.251.36.35:80 | crls.pki.goog | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | mikolyda.beget.tech | udp |
| RU | 91.106.207.50:80 | mikolyda.beget.tech | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | hoffmanlevi.space | udp |
| RU | 45.130.41.106:443 | hoffmanlevi.space | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| GB | 157.240.221.35:443 | facebook.com | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.35:443 | facebook.com | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| GB | 157.240.221.35:443 | fbcdn.net | tcp |
| GB | 157.240.221.35:443 | fbcdn.net | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| RU | 45.130.41.106:443 | hoffmanlevi.space | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | static.xx.fbcdn.net | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| GB | 157.240.221.35:443 | fbsbx.com | tcp |
| GB | 157.240.221.35:443 | fbsbx.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| FI | 77.91.68.52:80 | 77.91.68.52 | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| FI | 77.91.68.29:80 | 77.91.68.29 | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
Files
memory/1468-0-0x000000013FB70000-0x000000014020B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab3610.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar37E7.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
| MD5 | 5aa38295da76c7810a946e570d8fe083 |
| SHA1 | e308b69c06c2655f8aa1f550dfaef9388163963a |
| SHA256 | 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f |
| SHA512 | e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab |
C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
| MD5 | f1fb98c3d7d9b773b9f4733cedca1cd7 |
| SHA1 | 41cdbb3409d661bc1ae9a922a525e0012c551d5d |
| SHA256 | 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc |
| SHA512 | 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268 |
C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
| MD5 | d852aed84489b36f5d6b0f6a075cafd6 |
| SHA1 | 73a175bbf684f85881b6d27d3551d0d6e734d6df |
| SHA256 | 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274 |
| SHA512 | dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4 |
C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
| MD5 | b9a096baebdf8e44368e9724da8e56dd |
| SHA1 | f9873fa92ae8b75e23e353f43ae1ba9087edebfc |
| SHA256 | 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef |
| SHA512 | f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E1993F15A3402D743FF8169CEB684DD3
| MD5 | d056c7ed1f4352765c2a64d94735590d |
| SHA1 | 583d42c202d4a1f7993ba1cf637c5350978dfa91 |
| SHA256 | bcb2e1ce694f498fb6ec7cd4ca7c258faaf0be566fffbc78b8eaebdfb06a5486 |
| SHA512 | 3475af7c4fe3ef6ac3c442354c9381cfa36734c563172c5a2f2aeefc5830dabcab02518e41cb4cd135425b9daa0206f012f49a7f75568eb040d2331fd02e4499 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E1993F15A3402D743FF8169CEB684DD3
| MD5 | 2d459b176b30094a41471f48dfc007a1 |
| SHA1 | 3c6614225ddcc5a331e8439c05af40d610a05d3b |
| SHA256 | 5ba424599a34daee94c313b9d5490249543e068b76d5634688504e2a8cb729fe |
| SHA512 | c6655a4141638dc8fa0822af2502fab22d669f76ee59775c31bffc8be174a22a3ffb911651f7244191b417b14aa506069943b157b7398c43a2b6fd889e953f92 |
C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
| MD5 | 3d683bae0039e46ad50bebf4681785a0 |
| SHA1 | e8662a8cf438ec8521d71dc8b431c1ba592bd881 |
| SHA256 | e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58 |
| SHA512 | f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e |
C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
| MD5 | 5aa38295da76c7810a946e570d8fe083 |
| SHA1 | e308b69c06c2655f8aa1f550dfaef9388163963a |
| SHA256 | 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f |
| SHA512 | e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab |
C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
| MD5 | d852aed84489b36f5d6b0f6a075cafd6 |
| SHA1 | 73a175bbf684f85881b6d27d3551d0d6e734d6df |
| SHA256 | 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274 |
| SHA512 | dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4 |
C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
| MD5 | b9a096baebdf8e44368e9724da8e56dd |
| SHA1 | f9873fa92ae8b75e23e353f43ae1ba9087edebfc |
| SHA256 | 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef |
| SHA512 | f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08 |
C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
| MD5 | f1fb98c3d7d9b773b9f4733cedca1cd7 |
| SHA1 | 41cdbb3409d661bc1ae9a922a525e0012c551d5d |
| SHA256 | 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc |
| SHA512 | 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268 |
C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
| MD5 | 487d3214ced555a38e0b13dd37285ade |
| SHA1 | 656a5891bff67714d6583c2c2e484b0de721d09c |
| SHA256 | f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8 |
| SHA512 | 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163 |
C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
| MD5 | df71a06b859776129a744f9dbfddc401 |
| SHA1 | a8823e2b086fc4c9e5b148ad6cd29f095da05337 |
| SHA256 | d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681 |
| SHA512 | 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df |
memory/1492-209-0x0000000000400000-0x0000000000AFF000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe
| MD5 | eede39c7c0198e86a3b75d2b8af77201 |
| SHA1 | b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1 |
| SHA256 | 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727 |
| SHA512 | 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d |
\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
| MD5 | f1fb98c3d7d9b773b9f4733cedca1cd7 |
| SHA1 | 41cdbb3409d661bc1ae9a922a525e0012c551d5d |
| SHA256 | 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc |
| SHA512 | 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268 |
\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe
| MD5 | eede39c7c0198e86a3b75d2b8af77201 |
| SHA1 | b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1 |
| SHA256 | 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727 |
| SHA512 | 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d |
C:\Users\Admin\Pictures\Minor Policy\r0AmxgPgCNAvJP2wBzVyrn8O.exe
| MD5 | f1fb98c3d7d9b773b9f4733cedca1cd7 |
| SHA1 | 41cdbb3409d661bc1ae9a922a525e0012c551d5d |
| SHA256 | 525b46b9c510675b05a76d96af37c5f3ad182fce29df1115a3d480afceb871bc |
| SHA512 | 6f7255f5de9936c0413b0b1c9c21d6b9326a2473f29f9950815206b92d892db7ba305c1ad87abf9b579a75bc1d9b09c77f566d5996b51bfa60557ab36c488268 |
C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
| MD5 | 3d683bae0039e46ad50bebf4681785a0 |
| SHA1 | e8662a8cf438ec8521d71dc8b431c1ba592bd881 |
| SHA256 | e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58 |
| SHA512 | f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e |
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
| MD5 | 487d3214ced555a38e0b13dd37285ade |
| SHA1 | 656a5891bff67714d6583c2c2e484b0de721d09c |
| SHA256 | f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8 |
| SHA512 | 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163 |
C:\Users\Admin\Pictures\Minor Policy\ZW9r6_Jcut69xZ7q3DByCddi.exe
| MD5 | 3d683bae0039e46ad50bebf4681785a0 |
| SHA1 | e8662a8cf438ec8521d71dc8b431c1ba592bd881 |
| SHA256 | e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58 |
| SHA512 | f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e |
C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
| MD5 | df71a06b859776129a744f9dbfddc401 |
| SHA1 | a8823e2b086fc4c9e5b148ad6cd29f095da05337 |
| SHA256 | d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681 |
| SHA512 | 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df |
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
| MD5 | 6e3bab6e7b0eb009239eb642eb9d1764 |
| SHA1 | 41e3d97c275cbb297a55f3c157454dc830697fa1 |
| SHA256 | 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e |
| SHA512 | 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0 |
memory/1076-219-0x0000000000340000-0x00000000003D2000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
memory/2020-220-0x0000000000070000-0x00000000006A3000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
| MD5 | 1c05ce269187a688ceb10901bc39fce3 |
| SHA1 | ea0d9e0c5392d6b07770e7e9677660aac4f5387e |
| SHA256 | c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98 |
| SHA512 | 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6 |
C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
| MD5 | 1c05ce269187a688ceb10901bc39fce3 |
| SHA1 | ea0d9e0c5392d6b07770e7e9677660aac4f5387e |
| SHA256 | c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98 |
| SHA512 | 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6 |
memory/2516-228-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
| MD5 | 6e3bab6e7b0eb009239eb642eb9d1764 |
| SHA1 | 41e3d97c275cbb297a55f3c157454dc830697fa1 |
| SHA256 | 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e |
| SHA512 | 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0 |
C:\Users\Admin\Pictures\Minor Policy\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
memory/2516-230-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\a8aMLCY7UqQ6j_EBBntQ5onH.exe
| MD5 | 6e3bab6e7b0eb009239eb642eb9d1764 |
| SHA1 | 41e3d97c275cbb297a55f3c157454dc830697fa1 |
| SHA256 | 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e |
| SHA512 | 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0 |
memory/1076-239-0x0000000002E70000-0x0000000002F8B000-memory.dmp
memory/1076-238-0x0000000000340000-0x00000000003D2000-memory.dmp
memory/2796-240-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2796-242-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2796-244-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2796-245-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2796-247-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2796-249-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2796-250-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2796-252-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2796-254-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2796-257-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2796-259-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2796-262-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2796-264-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2796-267-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2796-269-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2796-272-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2796-274-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2796-275-0x0000000000940000-0x0000000001484000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\S3G8zb34YK75eg8vIvwnsVI2.exe
| MD5 | 1c05ce269187a688ceb10901bc39fce3 |
| SHA1 | ea0d9e0c5392d6b07770e7e9677660aac4f5387e |
| SHA256 | c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98 |
| SHA512 | 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6 |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
| MD5 | 07f202b6ba1e536526aa426fd3a1365e |
| SHA1 | 899dd1bb70e2b1a880218b5f28a7952ec17de111 |
| SHA256 | 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92 |
| SHA512 | a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7 |
memory/1492-279-0x0000000000400000-0x0000000000AFF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
| MD5 | 07f202b6ba1e536526aa426fd3a1365e |
| SHA1 | 899dd1bb70e2b1a880218b5f28a7952ec17de111 |
| SHA256 | 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92 |
| SHA512 | a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7 |
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 93b3886bce89b59632cb37c0590af8a6 |
| SHA1 | 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137 |
| SHA256 | 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f |
| SHA512 | fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb |
\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
| MD5 | 07f202b6ba1e536526aa426fd3a1365e |
| SHA1 | 899dd1bb70e2b1a880218b5f28a7952ec17de111 |
| SHA256 | 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92 |
| SHA512 | a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Px7dg92.exe
| MD5 | 07f202b6ba1e536526aa426fd3a1365e |
| SHA1 | 899dd1bb70e2b1a880218b5f28a7952ec17de111 |
| SHA256 | 7822b122eb30de403e2850849e94eea638b6eb69105d99fde3a73f31dddacb92 |
| SHA512 | a02eace0fb46192978167bfd4feccfa4eb183ce4da2c7ccc8af3d3bce18c669c354e20f935001380b4aef43007a082d77543ee9d2650e82193a886e3b113efd7 |
memory/1492-300-0x0000000000250000-0x0000000000251000-memory.dmp
memory/1492-304-0x0000000000250000-0x0000000000251000-memory.dmp
memory/2376-305-0x0000000000080000-0x0000000000081000-memory.dmp
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Users\Admin\Pictures\Minor Policy\qDJxOF88P5b31X9nYbNzcZPp.exe
| MD5 | df71a06b859776129a744f9dbfddc401 |
| SHA1 | a8823e2b086fc4c9e5b148ad6cd29f095da05337 |
| SHA256 | d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681 |
| SHA512 | 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe
| MD5 | d1125b2a4c3d1c467df3053159ab3b32 |
| SHA1 | 6fd90488f80023efddece0951abbf8b42e71e26f |
| SHA256 | 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec |
| SHA512 | 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe
| MD5 | d1125b2a4c3d1c467df3053159ab3b32 |
| SHA1 | 6fd90488f80023efddece0951abbf8b42e71e26f |
| SHA256 | 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec |
| SHA512 | 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e |
C:\Users\Admin\Pictures\Minor Policy\p0Md4MBiYJc6SgyciNphhNUh.exe
| MD5 | b9a096baebdf8e44368e9724da8e56dd |
| SHA1 | f9873fa92ae8b75e23e353f43ae1ba9087edebfc |
| SHA256 | 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef |
| SHA512 | f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08 |
\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe
| MD5 | d1125b2a4c3d1c467df3053159ab3b32 |
| SHA1 | 6fd90488f80023efddece0951abbf8b42e71e26f |
| SHA256 | 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec |
| SHA512 | 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e |
C:\Users\Admin\Pictures\Minor Policy\RxOQCm7grqMZ61Vr_46oGvts.exe
| MD5 | 5aa38295da76c7810a946e570d8fe083 |
| SHA1 | e308b69c06c2655f8aa1f550dfaef9388163963a |
| SHA256 | 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f |
| SHA512 | e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab |
C:\Users\Admin\Pictures\Minor Policy\ch5c8B5ZdA4rJTdsnDNjoJVN.exe
| MD5 | d852aed84489b36f5d6b0f6a075cafd6 |
| SHA1 | 73a175bbf684f85881b6d27d3551d0d6e734d6df |
| SHA256 | 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274 |
| SHA512 | dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Kh9Eh27.exe
| MD5 | d1125b2a4c3d1c467df3053159ab3b32 |
| SHA1 | 6fd90488f80023efddece0951abbf8b42e71e26f |
| SHA256 | 5c639ebe40a11d76c593f3f3237875cde352ac02471035d9e436672c95ba83ec |
| SHA512 | 578d0bb04f31bd55ea31a0dbd0ae8114987e4a0106b6fd0aff1bdbc4c75783e59961c8181cc279f3fb8baaa5ae2121388ef75bf1bf2b531f9eca93be4c50580e |
C:\Users\Admin\Pictures\Minor Policy\8of3DRmQjWCjBhE2NNvN6ur1.exe
| MD5 | 487d3214ced555a38e0b13dd37285ade |
| SHA1 | 656a5891bff67714d6583c2c2e484b0de721d09c |
| SHA256 | f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8 |
| SHA512 | 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163 |
memory/296-387-0x0000000073180000-0x000000007386E000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\dmLR0Y_m8IWj4ctFaNTqCtNr.exe
| MD5 | eede39c7c0198e86a3b75d2b8af77201 |
| SHA1 | b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1 |
| SHA256 | 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727 |
| SHA512 | 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe
| MD5 | 84e9449c56dfa124d9122f055727b670 |
| SHA1 | f575927558c1274cb63ae74ea6af4b0420080e32 |
| SHA256 | 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43 |
| SHA512 | e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb |
\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe
| MD5 | 84e9449c56dfa124d9122f055727b670 |
| SHA1 | f575927558c1274cb63ae74ea6af4b0420080e32 |
| SHA256 | 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43 |
| SHA512 | e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe
| MD5 | 84e9449c56dfa124d9122f055727b670 |
| SHA1 | f575927558c1274cb63ae74ea6af4b0420080e32 |
| SHA256 | 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43 |
| SHA512 | e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\cu2Lz27.exe
| MD5 | 84e9449c56dfa124d9122f055727b670 |
| SHA1 | f575927558c1274cb63ae74ea6af4b0420080e32 |
| SHA256 | 6cfc41d93b8ae9f3e579ce04426a2ca51ba158944331a97ff5c7c1a2f4f00c43 |
| SHA512 | e2e8058f4fccc8bd379a5755d300b2d715bf6b2fb23dc277d825a4c5ddd594dfef0d4cea63ed440e8d62423163d6af73a09c6dfecb9e5fa35edc94aa838e10cb |
memory/2120-402-0x0000000000220000-0x000000000023B000-memory.dmp
memory/296-406-0x0000000001040000-0x000000000109A000-memory.dmp
memory/2796-407-0x0000000000940000-0x0000000001484000-memory.dmp
memory/2796-410-0x0000000077B70000-0x0000000077B71000-memory.dmp
memory/2120-411-0x0000000000400000-0x000000000062D000-memory.dmp
memory/1492-412-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/2376-413-0x0000000000FD0000-0x0000000001B9C000-memory.dmp
memory/2376-414-0x0000000077B70000-0x0000000077B71000-memory.dmp
memory/2376-415-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2516-416-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2120-417-0x00000000006C0000-0x00000000007C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X7DUUC87.txt
| MD5 | 478fd6a838f6e18e2dbbfebe1e42160e |
| SHA1 | 15668b7cebc1e4773376a36859232ba93a1e81fa |
| SHA256 | dbed64fc1281b74031dd67510002985d426e177c3fc41931c3bee124616a6ca1 |
| SHA512 | 4ed296c351700ab6373b95bc6cdac47584ec8b8a0f1515aa7bead2010a883b38d04af79ab4e73cf8e8838e1088969a593918a25f8c90a8fb4e4d27c630237dbf |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe
| MD5 | 1806f939b52c2a8af4fe0271da2fdbc8 |
| SHA1 | 58ae749997995cade90ae5828064e101a874c6be |
| SHA256 | 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3 |
| SHA512 | 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe
| MD5 | 1806f939b52c2a8af4fe0271da2fdbc8 |
| SHA1 | 58ae749997995cade90ae5828064e101a874c6be |
| SHA256 | 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3 |
| SHA512 | 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff |
\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe
| MD5 | 1806f939b52c2a8af4fe0271da2fdbc8 |
| SHA1 | 58ae749997995cade90ae5828064e101a874c6be |
| SHA256 | 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3 |
| SHA512 | 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\xt8uk02.exe
| MD5 | 1806f939b52c2a8af4fe0271da2fdbc8 |
| SHA1 | 58ae749997995cade90ae5828064e101a874c6be |
| SHA256 | 397e1e3b0092149d784c8db4506425aa4a860c918943c44e6b4506928ea427d3 |
| SHA512 | 9871baaf12760523da4a0dd1043d412ae249275fb3601c4796e25e5f3df97b1b6e625dbe3298894a022b79ba8b0f2a81dad08d3a03cdc2287afc3dfc696d3fff |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe
| MD5 | a07f1de1c9774d5a490b599e98a87928 |
| SHA1 | 2e89540d18db9fc57132372abad292db56697b22 |
| SHA256 | 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb |
| SHA512 | 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe
| MD5 | a07f1de1c9774d5a490b599e98a87928 |
| SHA1 | 2e89540d18db9fc57132372abad292db56697b22 |
| SHA256 | 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb |
| SHA512 | 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe
| MD5 | a07f1de1c9774d5a490b599e98a87928 |
| SHA1 | 2e89540d18db9fc57132372abad292db56697b22 |
| SHA256 | 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb |
| SHA512 | 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1FG56KM1.exe
| MD5 | a07f1de1c9774d5a490b599e98a87928 |
| SHA1 | 2e89540d18db9fc57132372abad292db56697b22 |
| SHA256 | 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb |
| SHA512 | 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81 |
\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe
| MD5 | 1c05ce269187a688ceb10901bc39fce3 |
| SHA1 | ea0d9e0c5392d6b07770e7e9677660aac4f5387e |
| SHA256 | c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98 |
| SHA512 | 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6 |
memory/2620-476-0x00000000003D0000-0x00000000003F0000-memory.dmp
memory/1708-479-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2256-478-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2256-485-0x0000000073180000-0x000000007386E000-memory.dmp
memory/1708-486-0x0000000073180000-0x000000007386E000-memory.dmp
memory/1492-487-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/2620-488-0x0000000000540000-0x000000000055E000-memory.dmp
memory/296-492-0x0000000073180000-0x000000007386E000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | dc7182cb28d79861499dfd882b5e7bdc |
| SHA1 | d3f27b9babb8a48b8766ccba366500857f463e96 |
| SHA256 | 6d5d80d251a4006b2b527b80f0d1f8a74f5146b83740b4b45938626d30864a1d |
| SHA512 | dbd8bc053aebab05e11f6fd9283410761c1d3ef342265bebae85a51c34a619b0029a640b25c09bf1ea4d8289d4a74b5a141f8129c31145a6927ca7dca6aa8cef |
memory/2796-528-0x0000000000940000-0x0000000001484000-memory.dmp
memory/2120-531-0x0000000000400000-0x000000000062D000-memory.dmp
memory/1492-535-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/2376-537-0x0000000000FD0000-0x0000000001B9C000-memory.dmp
memory/2256-568-0x0000000007310000-0x0000000007350000-memory.dmp
memory/296-571-0x00000000075E0000-0x0000000007620000-memory.dmp
memory/2120-574-0x00000000006C0000-0x00000000007C0000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570
| MD5 | 5b7cac3c0beeb01ebb010d6e838bf706 |
| SHA1 | baccc80887e63fb04f96f33b80c0d85e8f43e1d0 |
| SHA256 | 40815dafa17ab30717aa6f9de4dd65987a219910bf4555bba21d4a5b3db973d5 |
| SHA512 | 024d31dc7fc9b3b16472d1312098c2a9aa0d0ce3083e3645962d109a716f84352c3b601aacef57b7f802e67477b519257dd2b43ac764872620ff41dd88ce2342 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570
| MD5 | 460f4844ebc0f0ced4e567d29ea96c59 |
| SHA1 | afeb6fa7d2b2ad3d1d91e40e783101354d3c6117 |
| SHA256 | 4bdc453909374b4ad6c1566915d8255b1c87533383e7dcb826c775d0870f3c9f |
| SHA512 | 95f9934ed5b8168a18a12309f23fbacbcf03f44f68c425eff4d5bf93955f4013a34f538cec7fe8b95db1828f11aec984b6f466f23cc53a2f0e97fb6e51ed7575 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
| MD5 | 490f3b2dd153ec8144cd03fd43be1b08 |
| SHA1 | 7a53bee757cc00d36803836eb419fb8f86cd9b64 |
| SHA256 | 949b6f9b62a5ac7a6d8955a6f14bcb34a94841b3f81f38b762e52296d765338d |
| SHA512 | dfd07cfab800677f80b24da96b128887d59cbde843a55ffa0045fb9c2d964107b16ef3b61a23966095a696b20196810bc9cea4422bb06c85f496c257a78d47ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
| MD5 | eb535171e2b808937f8c5e80e301b0ec |
| SHA1 | 905097502e4a7017422bd4f6ee9a61963fbb64d6 |
| SHA256 | 82c594da4cfd827d61af026643c96f8d6190ffe76267088185385ea46b90b877 |
| SHA512 | bd2c0b92d6f696d3e12d6f84a8a3ef800e408cb6277260f44e9a29fc15a929e91ec8c3b8a17dcc4525ae640163ad699460dff21964928496cc60bb0bdb419f90 |
memory/2256-619-0x0000000073180000-0x000000007386E000-memory.dmp
memory/1708-620-0x0000000073180000-0x000000007386E000-memory.dmp
memory/2256-622-0x0000000007310000-0x0000000007350000-memory.dmp
memory/296-623-0x00000000075E0000-0x0000000007620000-memory.dmp
memory/1708-629-0x00000000044F0000-0x0000000004530000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tempCMS4k53kUHL2uSv\information.txt
| MD5 | c3e8a8ebb93dcb736020c50e6c5af971 |
| SHA1 | 2cc5493c837e7748f9564ca9188279788450a318 |
| SHA256 | 6f23e4e7c62ada10df24727ecf5d870460d8c1e649086785e5d9888abcf3a4da |
| SHA512 | 9d0ad1b360dad80f801b665545eae61ee9f5b8409b4d73e1660e380029b82f5097f0973f6fb3a118712364b9003476a11f96ad076f2a99c9cccdf63aa40648ef |
C:\Users\Admin\AppData\Local\6a32e694-ce15-4166-b5d5-39601b8b4741\_Axw7GGd2Fy7GTHeEDtFtPCq.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
memory/1492-650-0x0000000000400000-0x0000000000AFF000-memory.dmp
C:\ProgramData\HDGIJJDGCBKFIDHIEBKE
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | bf92ac117f81c3fd55c450bcbcbad622 |
| SHA1 | 2c49cb42f188d181a52ef7777f5f2d578f49a145 |
| SHA256 | 46684037845905198e2198a3020c7ccf50acec9eefd8139c7f45476c2de4d7fe |
| SHA512 | 96742eb35b7d6df7805c405a7e229ec204ef8ea48d43a9c980e6aeb41fed9134495e2d3e566cb2300b63bd579693ecee7a7272fbdade93edbc4ca09ac78adafa |
C:\Users\Admin\Pictures\Minor Policy\J09p8V_CfJYAsxckvyLwXWHH.exe
| MD5 | f0033521f40c06dec473854c7d98fa8b |
| SHA1 | 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a |
| SHA256 | 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e |
| SHA512 | f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217 |
C:\ProgramData\AEBAFBGI
| MD5 | ec30b7eadd1965e4865c218b939eacc7 |
| SHA1 | 1ae50b6a4f639d222b58b484a4ccdc7286ba8fc7 |
| SHA256 | 1f547dba047c78f27adc0b75a0cc23a212cad9fdf1c0ec2040b067fb6ad2c298 |
| SHA512 | 701e5a6d03cead9ccafe731ae4af3272384d65a56c7786abb29718f69873b9fcb35184762b344c5f5f7e9bf107c739f6f15e8ca91fc7749e24424872ba6fe75f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E1993F15A3402D743FF8169CEB684DD3
| MD5 | d056c7ed1f4352765c2a64d94735590d |
| SHA1 | 583d42c202d4a1f7993ba1cf637c5350978dfa91 |
| SHA256 | bcb2e1ce694f498fb6ec7cd4ca7c258faaf0be566fffbc78b8eaebdfb06a5486 |
| SHA512 | 3475af7c4fe3ef6ac3c442354c9381cfa36734c563172c5a2f2aeefc5830dabcab02518e41cb4cd135425b9daa0206f012f49a7f75568eb040d2331fd02e4499 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E1993F15A3402D743FF8169CEB684DD3
| MD5 | 2d459b176b30094a41471f48dfc007a1 |
| SHA1 | 3c6614225ddcc5a331e8439c05af40d610a05d3b |
| SHA256 | 5ba424599a34daee94c313b9d5490249543e068b76d5634688504e2a8cb729fe |
| SHA512 | c6655a4141638dc8fa0822af2502fab22d669f76ee59775c31bffc8be174a22a3ffb911651f7244191b417b14aa506069943b157b7398c43a2b6fd889e953f92 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe
| MD5 | cabd66ee7b3137ac4a46506764ccd873 |
| SHA1 | 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1 |
| SHA256 | 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284 |
| SHA512 | b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0 |
\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe
| MD5 | cabd66ee7b3137ac4a46506764ccd873 |
| SHA1 | 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1 |
| SHA256 | 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284 |
| SHA512 | b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe
| MD5 | cabd66ee7b3137ac4a46506764ccd873 |
| SHA1 | 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1 |
| SHA256 | 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284 |
| SHA512 | b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2lv8023.exe
| MD5 | cabd66ee7b3137ac4a46506764ccd873 |
| SHA1 | 7b3795a591b0ed4ded1581d1522a3e84eb7b09e1 |
| SHA256 | 0ce1649a4835048af944d015ce6186b6aee4dd3e21bbae68ffeafae4fd1e4284 |
| SHA512 | b23cd7a81ccd990e76f2cae2e41b749a9a1bebfea2d67c8999dfea35729447f8d4a0bdf142cc1cf4cb349066955f950a88e3a904620a89fe7fe035bc0c3153b0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3Gh68ms.exe
| MD5 | f268152d9b958c135f8c7e386976307a |
| SHA1 | 9ddd2c2ef943e750313a644f4f9e7de238f422e3 |
| SHA256 | 4bc91b50365d26f9f26e5a5f32beb980f6daec58008866999111aea6d0d91df8 |
| SHA512 | 90963a73f2209f0994a950fe6bdafae22f1504b6dd79da6f5dbdf91ece595df9ead912c0da7764e188e06bbc76028e691d9577666b4bff6c1ffb2864f188e04f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4nE240CO.exe
| MD5 | 6f36746ba07903beec2fbfb964c78078 |
| SHA1 | aa529e8ee9483205499cc0b79eae7e023e704f25 |
| SHA256 | d907dc5f47f188be2e128388c89069a1dbc2ab1395a8926783e635c2020be131 |
| SHA512 | 608861ad2c1709579bf7856b705f6c0e197cefda7964f44dd07c7eb787e72d4b27bc527962fa2a111743a99c94a9e4f3d81d414b4cdaa662143d6e62b47a9c6f |
memory/3040-790-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3040-807-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2764-823-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\iBvaRtRDjlDWPpPPVtFXvuEU.exe
| MD5 | bc4b5950c410c30413487fb3ff6fb4a0 |
| SHA1 | 5f7dc8d714417d37f48700fe892ef79e6a33310b |
| SHA256 | cd20ffdb8f36eb15d0cb4f2d18ce2eefa6ce86f04ad7aad55fd4bb04a5bb9f1b |
| SHA512 | 80d07ffad473edd5093e0797cc88ac16299aa8d990cad7a2558732e4799a29024395f86a9db1427196a2c891dea006afb8d0c6d93ae44d3f43c5c03597014e40 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5Cy9OS5.exe
| MD5 | 7ac115d2f8923e3333482ad5dce135bd |
| SHA1 | 6b4e6678f05a24af978f5645c3ac538b08caae5d |
| SHA256 | c2bf62fd6285d1f1ed41246360e4f86c8c35257c8cf8bc90acd07a119ede9e5a |
| SHA512 | 118011e15969f7073e37afdfe9f4a19e72b3c413f9938bd6f9519a66689c46bb39ef5c15416cc59cda4a17c0614a6d70e3d7c0ef965778f34b9fe10927f9a06e |
memory/2796-842-0x0000000000940000-0x0000000001484000-memory.dmp
memory/2428-864-0x0000000000250000-0x0000000000251000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6Vw8Dv1.exe
| MD5 | 3e53a4962f5204ed0062a5b3057482f6 |
| SHA1 | 2d31f923d1316e416400bc9ce9cdd762f84e1036 |
| SHA256 | eea675abe55016f079cfb71b6e63edabb931867c5eae18eb2644c733b9e3686c |
| SHA512 | 7cd19476e648d73f0ddd4993786c3dcc2e74e6d58204617efbdc947a16828dd2446c3800e84b86e81ac41fc1543cf84538ca8917f915a4f15c93394804d005e9 |
memory/2516-895-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1796-898-0x0000000000320000-0x00000000003B2000-memory.dmp
memory/1796-902-0x0000000000320000-0x00000000003B2000-memory.dmp
memory/2824-905-0x0000000000400000-0x0000000000537000-memory.dmp
C:\ProgramData\IDHIIJJJKEGIDGCBAFIJECGIEG
| MD5 | 47743594ed0965ca173f8235c2a62c2f |
| SHA1 | d0bf87a2e79cdf6baf6db8d75acfbf00fd7f9cfb |
| SHA256 | d852449022d3e22cbd9ceba0c4edc75d2a803b441b0bc2c9e8b0b6bb977dbb0c |
| SHA512 | 514892b1a14f7aa308505737303e72955cd996e1e28b8db6af6a33a890dbe1704dd0643865358ee005b5d6fab9941b0b29a0d79304ba780cc973bee9515d20cc |
C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe
| MD5 | 627f02d5e9dde53111a2953059db9372 |
| SHA1 | ffed5b0eda9791c42fa928111fcc973c0682a585 |
| SHA256 | bfc09d350d8bcedb1dbaddcf85e4a993907ac0dceba795556947312855d9a7cd |
| SHA512 | 01a286dcc7196a187f44c1143ad53bbc43556f5c9338003bd9291f40105378bab60e569a0ee8d5f6f28c41ad6e131423e02666818bfc058e166f555579bef1ab |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 4977ee92a9962d176583e46ddaf1b835 |
| SHA1 | 279476bffa0298e641fcb57183ab9d6810026a2c |
| SHA256 | 7409375ac9c5e32b1d27fba7d6f93ee7dcaaa7848e1b96de944b97bff42b4497 |
| SHA512 | 8b93f2a41250504b791fc379e524952c7013479404fb02dc7f065443e48aa40079ea3215c0b1ddb8dcab55d902ed97be378694cbbb5911df0d6776973c1dfd61 |
memory/2824-1007-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3364-1013-0x0000000000270000-0x0000000000370000-memory.dmp
memory/3364-1014-0x00000000001B0000-0x00000000001B9000-memory.dmp
memory/3256-1032-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
memory/3256-1033-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/3256-1034-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
memory/3364-1035-0x0000000000270000-0x0000000000370000-memory.dmp
memory/3256-1036-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/3484-1040-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3484-1041-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3484-1049-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3256-1050-0x000007FEF50B0000-0x000007FEF5A4D000-memory.dmp
memory/3256-1054-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/3256-1066-0x00000000026B0000-0x0000000002730000-memory.dmp
memory/3256-1072-0x000000001B190000-0x000000001B472000-memory.dmp
memory/3256-1073-0x00000000026B0000-0x0000000002730000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cefbf126-4503-4d99-8523-7cffeaaada6b.tmp
| MD5 | fd74eec26d6d0c5c637f7e6b6b2ee0a6 |
| SHA1 | 9b14ccd828ca358c0625cc979b72980a8758c464 |
| SHA256 | 5265f76fc5d57bd0480c812056baa81b5f213b1795d5310587ab1fd3fb317cbc |
| SHA512 | 3e2332bb41238ba184a2a4844b7e7fc31ff88ca981e57d5adc6c1fe1b2de26237ff926f969e7053ef776c98aaf2a2e308456d1aef473eb4ff16e5eeffb874250 |
C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | fa0f9adea2e58ed44c52716416964850 |
| SHA1 | 07d4df5af7cc0c1e43d8b4a88798f2f5f84e8b31 |
| SHA256 | df75b62e373e0b91f26384b21aaa8e4dc86c13078cec7e32ad595d0c86d3fedb |
| SHA512 | 63f476c5e212d67eefe8723c21a65a7c5ccaea543cb8901410c6ed1378a7b0d8e0a130dab08d59ecc09dc3feac4282aebdf645d2f9cfd330224f2f161dad4185 |
memory/2120-1145-0x0000000000400000-0x000000000062D000-memory.dmp
memory/2120-1144-0x00000000006C0000-0x00000000007C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/3256-1167-0x0000000002690000-0x0000000002698000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Temp\9C7F.exe
| MD5 | 7540f187f5efc718643cab72d2da8093 |
| SHA1 | 22d4288ef20f68b779c70642ec7c43a321fb0cf1 |
| SHA256 | 1b69b5f289ec0b437496810e9d1e2fd480adf33385ce619836bbfe96ed224640 |
| SHA512 | 33ae7d34e0183aa9183b5f41263af9b1758c94decdd9affccc0894c4cbfc09b8038f11af7066f738c21b30bba5561a60ecd63fb4f6f974924cf915ce8abcee97 |
C:\Users\Admin\AppData\Local\Temp\AF83.bat
| MD5 | 403991c4d18ac84521ba17f264fa79f2 |
| SHA1 | 850cc068de0963854b0fe8f485d951072474fd45 |
| SHA256 | ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f |
| SHA512 | a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 93a83c35a0febf8376a76d36f8f3e1c1 |
| SHA1 | c112ccfcfe63a72595cba83d9c4f815c5f4b36a4 |
| SHA256 | 3fb9b791cb2d5ae79b9332be3b78048c98e957c0804b1f28cdd6f3d0e222f7cc |
| SHA512 | 428a8e3acb890749e3fe81f3e6ba320f55483bb85ec25d6d1f3ddd83bf66e3b6c825f3eac62923350b6db1b94de352564a423dd8a33ea6b7d75b3fbc7ed84f11 |
C:\Users\Admin\AppData\Local\Temp\BEFF.exe
| MD5 | 41582701647982c3b7db18a65f875375 |
| SHA1 | 46290694a6dae5e01f1214bf21d3273c5f436d36 |
| SHA256 | 4e8272b74ba2f992a78e7b2958a66ac5d5c19b56c0822307c6c5d8a5f1b28126 |
| SHA512 | d3ff9d6e9adf8e52220930a8bd5b7e447dac5d4ec15bfeaf27fc203a54a7c513bed1f69cadcc3dcce20e8d9f1a9e7f426ea6cce1e2d7e85d2a4e998b999de672 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 06:58
Reported
2023-10-17 07:23
Platform
win10v2004-20230915-en
Max time kernel
514s
Max time network
597s
Command Line
Signatures
Amadey
DcRat
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
PrivateLoader
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4548 created 3180 | N/A | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | C:\Windows\Explorer.EXE |
| PID 4548 created 3180 | N/A | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | C:\Windows\Explorer.EXE |
| PID 4548 created 3180 | N/A | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | C:\Windows\Explorer.EXE |
| PID 4548 created 3180 | N/A | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | C:\Windows\Explorer.EXE |
| PID 4548 created 3180 | N/A | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | C:\Windows\Explorer.EXE |
| PID 4548 created 3180 | N/A | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | C:\Windows\Explorer.EXE |
Finds standalone samples of Amadey based on characteristic strings
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | N/A | N/A |
Renames multiple (169) files with added filename extension
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\\xXyQiNG_qhmki3RUDDNIRPh8.exe\" --AutoStart" | C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | N/A | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | N/A | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | N/A | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | N/A | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3712 set thread context of 2124 | N/A | C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe | C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe |
| PID 1812 set thread context of 4008 | N/A | C:\Windows\System32\smss.exe | C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe |
| PID 3672 set thread context of 756 | N/A | N/A | C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe |
| PID 4140 set thread context of 4536 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe |
| PID 4548 set thread context of 5056 | N/A | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | C:\Windows\System32\smss.exe |
| PID 564 set thread context of 2840 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5D01.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | N/A | N/A |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe | N/A |
| File created | C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | N/A | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\Explorer.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\sihost.exe | N/A |
| Token: SeDebugPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemProfilePrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | N/A | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
| Token: SeRestorePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | N/A | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | N/A | N/A |
| Token: SeUndockPrivilege | N/A | N/A | N/A |
| Token: SeManageVolumePrivilege | N/A | N/A | N/A |
| Token: 33 | N/A | N/A | N/A |
| Token: 34 | N/A | N/A | N/A |
| Token: 35 | N/A | N/A | N/A |
| Token: 36 | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\smss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | N/A | N/A |
| Token: SeSecurityPrivilege | N/A | N/A | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | N/A | N/A |
| Token: SeLoadDriverPrivilege | N/A | N/A | N/A |
| Token: SeSystemProfilePrivilege | N/A | N/A | N/A |
| Token: SeSystemtimePrivilege | N/A | N/A | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | N/A | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeBackupPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe | N/A |
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe
"C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe"
C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe
"C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe"
C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe
"C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe"
C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe
"C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe"
C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe
"C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe"
C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe
"C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe"
C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe
"C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe"
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe"
C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe
"C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe"
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
"C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe"
C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe
"C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1088 -ip 1088
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
"C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1088 -s 1648
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe
"C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe"
C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe
"C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe"
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
"C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4008 -ip 4008
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 568
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
"C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\207aa4515d" /P "Admin:N"&&CACLS "..\207aa4515d" /P "Admin:R" /E&&Exit
C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe --Task
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "oneetx.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\207aa4515d" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe --Task
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kfbfjf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2664 -ip 2664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2664 -s 2380
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe
"C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe"
C:\Users\Admin\AppData\Local\Temp\orm6k3UPjyk7pHiE6lmOcRAp.exe
"C:\Users\Admin\AppData\Local\Temp\orm6k3UPjyk7pHiE6lmOcRAp.exe"
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe --Task
C:\Users\Admin\AppData\Local\Temp\5D01.exe
C:\Users\Admin\AppData\Local\Temp\5D01.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B880.bat" "
C:\Windows\system32\sihost.exe
sihost.exe
C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\5D01.exe
C:\Users\Admin\AppData\Local\Temp\5D01.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D7D0.bat" "
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000fc 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b4 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c4 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b4 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000100 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000110 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000dc 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000f8 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000100 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000ec 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000134 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000011c 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000b4 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c4 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 0000025c 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000298 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000370 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001f8 00000084
C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000001e4 00000084
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 118.32.42.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.225.186.93.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| BG | 171.22.28.226:80 | 171.22.28.226 | tcp |
| NL | 194.169.175.232:80 | 194.169.175.232 | tcp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| FI | 77.91.68.249:80 | 77.91.68.249 | tcp |
| NL | 185.225.74.144:80 | 185.225.74.144 | tcp |
| RU | 91.215.85.209:80 | onualituyrs.org | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 8.8.8.8:53 | jackantonio.top | udp |
| DE | 45.132.1.20:80 | jackantonio.top | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| DE | 45.132.1.20:80 | jackantonio.top | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 226.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.74.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.1.132.45.in-addr.arpa | udp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-23.userapi.com | udp |
| RU | 95.142.206.3:443 | sun6-23.userapi.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 95.142.206.3:443 | sun6-23.userapi.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | 3.206.142.95.in-addr.arpa | udp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-20.userapi.com | udp |
| RU | 95.142.206.0:443 | sun6-20.userapi.com | tcp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-22.userapi.com | udp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 95.142.206.2:443 | sun6-22.userapi.com | tcp |
| US | 8.8.8.8:53 | 0.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.206.142.95.in-addr.arpa | udp |
| NL | 185.225.74.144:80 | 185.225.74.144 | tcp |
| RU | 91.215.85.209:443 | onualituyrs.org | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 229.156.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| DE | 148.251.234.93:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 148.251.234.83:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 93.234.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.234.251.148.in-addr.arpa | udp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| NL | 194.169.175.128:50500 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | elijahdiego.top | udp |
| US | 8.8.8.8:53 | 128.175.169.194.in-addr.arpa | udp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | vk.com | udp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| NL | 194.169.175.128:50505 | tcp | |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | 15.4.26.104.in-addr.arpa | udp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | 235.145.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.9.59:443 | api.myip.com | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| US | 104.18.145.235:443 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | 80.74.9.45.in-addr.arpa | udp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| RU | 93.186.225.194:80 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| RU | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| NL | 185.225.75.171:22233 | tcp | |
| US | 8.8.8.8:53 | 171.75.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.129:443 | twitter.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | 129.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| NL | 194.169.175.128:50505 | tcp | |
| RU | 5.255.255.70:443 | yandex.ru | tcp |
| NL | 45.15.156.229:80 | 45.15.156.229 | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | 70.255.255.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dzen.ru | udp |
| RU | 62.217.160.2:443 | dzen.ru | tcp |
| US | 8.8.8.8:53 | 2.160.217.62.in-addr.arpa | udp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| DE | 45.9.74.80:80 | 45.9.74.80 | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | 142.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| NL | 194.169.175.127:80 | galandskiyher5.com | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | 127.175.169.194.in-addr.arpa | udp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | foxandcatbet.org | udp |
| US | 104.21.71.26:443 | foxandcatbet.org | tcp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| AR | 190.224.203.37:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | 26.71.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rangeroverfan.org | udp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 188.114.96.0:443 | rangeroverfan.org | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.203.224.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| US | 8.8.8.8:53 | telegram.org | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| DE | 45.132.1.20:80 | elijahdiego.top | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 104.244.42.129:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| BG | 193.42.32.118:80 | 193.42.32.118 | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| SA | 93.112.205.101:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | 101.205.112.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 104.26.4.15:443 | db-ip.com | tcp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | mikolyda.beget.tech | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | www.maxmind.com | udp |
| RU | 91.106.207.50:80 | mikolyda.beget.tech | tcp |
| US | 104.18.145.235:80 | www.maxmind.com | tcp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | hoffmanlevi.space | udp |
| RU | 45.130.41.106:443 | hoffmanlevi.space | tcp |
| US | 104.18.145.235:443 | www.maxmind.com | tcp |
| US | 8.8.8.8:53 | 50.207.106.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 106.41.130.45.in-addr.arpa | udp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
| NL | 194.169.175.127:80 | host-host-file8.com | tcp |
Files
memory/4360-0-0x00007FF76B6E0000-0x00007FF76BD7B000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe
| MD5 | d852aed84489b36f5d6b0f6a075cafd6 |
| SHA1 | 73a175bbf684f85881b6d27d3551d0d6e734d6df |
| SHA256 | 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274 |
| SHA512 | dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4 |
C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe
| MD5 | 43ec75c9ffaffce00caa878964879e69 |
| SHA1 | 712403fd77165ee5a6f32ceb7193a4c7a1b8a9dc |
| SHA256 | 3e76dd751a3bac77054c7bc6f4728959f2fb68221200c9b10e93332163fb0086 |
| SHA512 | 09672565a7df3db63a0a817d684c0d27da4370a7b06469123fb353eedb1bba25bda0786a676bf042b26bf952ff06e845106177f65afbe7bf33b6b926c230439d |
C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe
| MD5 | b9a096baebdf8e44368e9724da8e56dd |
| SHA1 | f9873fa92ae8b75e23e353f43ae1ba9087edebfc |
| SHA256 | 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef |
| SHA512 | f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08 |
C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe
| MD5 | 5aa38295da76c7810a946e570d8fe083 |
| SHA1 | e308b69c06c2655f8aa1f550dfaef9388163963a |
| SHA256 | 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f |
| SHA512 | e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab |
C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe
| MD5 | 3d683bae0039e46ad50bebf4681785a0 |
| SHA1 | e8662a8cf438ec8521d71dc8b431c1ba592bd881 |
| SHA256 | e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58 |
| SHA512 | f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e |
C:\Users\Admin\Pictures\Minor Policy\tTl1gzPB_4b9JiWfXuMkm2sN.exe
| MD5 | c5b56d5c5ece675e6aedc3cc44c857ea |
| SHA1 | 2565cfabd6bbc86020daca304a6b6531659e8194 |
| SHA256 | a04602dfe3459cffdf5744369b5dd994823dbd609f04509733fccbbf56e40bd1 |
| SHA512 | 9ee956b3559b6235d98b2264d900dd918ca985fd7cd07982a7dde1792f2499146202e49f6cb2896c6455436b20f0d3238ee3cc4d1e6d333842f6bffadc7c4e56 |
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe
| MD5 | df71a06b859776129a744f9dbfddc401 |
| SHA1 | a8823e2b086fc4c9e5b148ad6cd29f095da05337 |
| SHA256 | d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681 |
| SHA512 | 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df |
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
| MD5 | 1c05ce269187a688ceb10901bc39fce3 |
| SHA1 | ea0d9e0c5392d6b07770e7e9677660aac4f5387e |
| SHA256 | c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98 |
| SHA512 | 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6 |
C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe
| MD5 | eede39c7c0198e86a3b75d2b8af77201 |
| SHA1 | b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1 |
| SHA256 | 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727 |
| SHA512 | 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d |
C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe
| MD5 | 6e3bab6e7b0eb009239eb642eb9d1764 |
| SHA1 | 41e3d97c275cbb297a55f3c157454dc830697fa1 |
| SHA256 | 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e |
| SHA512 | 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0 |
C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe
| MD5 | 487d3214ced555a38e0b13dd37285ade |
| SHA1 | 656a5891bff67714d6583c2c2e484b0de721d09c |
| SHA256 | f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8 |
| SHA512 | 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163 |
C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe
| MD5 | d852aed84489b36f5d6b0f6a075cafd6 |
| SHA1 | 73a175bbf684f85881b6d27d3551d0d6e734d6df |
| SHA256 | 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274 |
| SHA512 | dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4 |
C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe
| MD5 | 43ec75c9ffaffce00caa878964879e69 |
| SHA1 | 712403fd77165ee5a6f32ceb7193a4c7a1b8a9dc |
| SHA256 | 3e76dd751a3bac77054c7bc6f4728959f2fb68221200c9b10e93332163fb0086 |
| SHA512 | 09672565a7df3db63a0a817d684c0d27da4370a7b06469123fb353eedb1bba25bda0786a676bf042b26bf952ff06e845106177f65afbe7bf33b6b926c230439d |
C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe
| MD5 | 5aa38295da76c7810a946e570d8fe083 |
| SHA1 | e308b69c06c2655f8aa1f550dfaef9388163963a |
| SHA256 | 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f |
| SHA512 | e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab |
C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe
| MD5 | b9a096baebdf8e44368e9724da8e56dd |
| SHA1 | f9873fa92ae8b75e23e353f43ae1ba9087edebfc |
| SHA256 | 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef |
| SHA512 | f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08 |
C:\Users\Admin\Pictures\Minor Policy\GYEKGY13K8dTfwFO8xyTbSdv.exe
| MD5 | d852aed84489b36f5d6b0f6a075cafd6 |
| SHA1 | 73a175bbf684f85881b6d27d3551d0d6e734d6df |
| SHA256 | 9d1e08892c14289ddbc966d9f1da12c36d9e21b2c8803532819e0e048c4c6274 |
| SHA512 | dea771a5502bee275531da3634775433eff6fefdce2c4ddceb8762b95efc6718edcc714eac705481109acd8c6ef9c139b3ad7e91e6723d38203b0d9995746ad4 |
C:\Users\Admin\Pictures\Minor Policy\Sl8K3MmxSZl_u_goFzCerY2j.exe
| MD5 | 43ec75c9ffaffce00caa878964879e69 |
| SHA1 | 712403fd77165ee5a6f32ceb7193a4c7a1b8a9dc |
| SHA256 | 3e76dd751a3bac77054c7bc6f4728959f2fb68221200c9b10e93332163fb0086 |
| SHA512 | 09672565a7df3db63a0a817d684c0d27da4370a7b06469123fb353eedb1bba25bda0786a676bf042b26bf952ff06e845106177f65afbe7bf33b6b926c230439d |
C:\Users\Admin\Pictures\Minor Policy\SWE1hAZdlhK298cTBGrRTAJb.exe
| MD5 | 5aa38295da76c7810a946e570d8fe083 |
| SHA1 | e308b69c06c2655f8aa1f550dfaef9388163963a |
| SHA256 | 78e6096326c837b23be4519087c4f920a0e5c0b3dca3a407e926a8d3940bde2f |
| SHA512 | e4b610bb3c5e6ed7a93323e9e248f7de81dd4d7a61fe2896cc25e30924217f1d9519409c76118a47acb99ad46d1c2ed3893164dd3e883402b1ee725abcd6f8ab |
C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe
| MD5 | df71a06b859776129a744f9dbfddc401 |
| SHA1 | a8823e2b086fc4c9e5b148ad6cd29f095da05337 |
| SHA256 | d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681 |
| SHA512 | 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df |
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe
| MD5 | 3d683bae0039e46ad50bebf4681785a0 |
| SHA1 | e8662a8cf438ec8521d71dc8b431c1ba592bd881 |
| SHA256 | e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58 |
| SHA512 | f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe
| MD5 | 6e3bab6e7b0eb009239eb642eb9d1764 |
| SHA1 | 41e3d97c275cbb297a55f3c157454dc830697fa1 |
| SHA256 | 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e |
| SHA512 | 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0 |
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
| MD5 | 1c05ce269187a688ceb10901bc39fce3 |
| SHA1 | ea0d9e0c5392d6b07770e7e9677660aac4f5387e |
| SHA256 | c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98 |
| SHA512 | 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6 |
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
| MD5 | 1c05ce269187a688ceb10901bc39fce3 |
| SHA1 | ea0d9e0c5392d6b07770e7e9677660aac4f5387e |
| SHA256 | c0de80877d3bd743ea80f7c8a2f7370a4fd18713e7661049549867ab909f0c98 |
| SHA512 | 1bc710876b4910f2b54ab56c1288dbb94a2dd1d47c64b27d7ae822438f9db4ee4ef0f63e5b1ddeb9e8008b9ac5f5ae7faa5a300694958dc614dbc7814fbb7cd6 |
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe
| MD5 | 487d3214ced555a38e0b13dd37285ade |
| SHA1 | 656a5891bff67714d6583c2c2e484b0de721d09c |
| SHA256 | f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8 |
| SHA512 | 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163 |
C:\Users\Admin\Pictures\Minor Policy\Etoyonub2P7t2TSIqKjC5Ucj.exe
| MD5 | 6e3bab6e7b0eb009239eb642eb9d1764 |
| SHA1 | 41e3d97c275cbb297a55f3c157454dc830697fa1 |
| SHA256 | 2426765453363274d0b6a02eecd38a159738c106104b07f1df252099822a395e |
| SHA512 | 0ebab8f1ebe80d2333a32f0f5bb97a80cb2085ce7eebc20d5aa0a35c2d2b24f4515f783565f9871d668740c7dc599b14c8fb1f7ac288a27fe503b4f91c2d3ec0 |
C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe
| MD5 | eede39c7c0198e86a3b75d2b8af77201 |
| SHA1 | b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1 |
| SHA256 | 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727 |
| SHA512 | 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d |
C:\Users\Admin\Pictures\Minor Policy\R6H5DbUMUEorruAu4jSA9yKu.exe
| MD5 | eede39c7c0198e86a3b75d2b8af77201 |
| SHA1 | b4545ddfbf9a70674a3f28aafe7abf7b4828b9f1 |
| SHA256 | 7d61b2faaa4ca4c6a3ace89ab8a514c1d928492f4e41552b0386ccf7506d6727 |
| SHA512 | 31698efaf32fca4bacbf7eef3c51b1db1350ea6768c498e859feea0dc610b3fdce8f5f1691279807088aa0a94eb61578bc6082840312dd17f8910ba7dd6f240d |
C:\Users\Admin\Pictures\Minor Policy\9SLvu92aauFEE9PwBtgW5f7X.exe
| MD5 | 487d3214ced555a38e0b13dd37285ade |
| SHA1 | 656a5891bff67714d6583c2c2e484b0de721d09c |
| SHA256 | f347898a48829ec52d4bb0e18458cd23ce04f5af5d81c80363fdc15c3b4c77f8 |
| SHA512 | 3a3ca5578861186b1773f1cf50e6d9ae9dbac0aafa17ad227f65b2593c5a408e50f46aea56d03bc8b85f4500b4228540a1ee0c80644b8f0c4305f0352a0e4163 |
memory/1080-488-0x0000000000400000-0x0000000000AFF000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\1K4bTXJtjSJzT8f0Aii8L_sT.exe
| MD5 | 3d683bae0039e46ad50bebf4681785a0 |
| SHA1 | e8662a8cf438ec8521d71dc8b431c1ba592bd881 |
| SHA256 | e69e93cc1b989513d5bb4660d326f2e9aea09f903781ef9bdcbbbe2c24dbcc58 |
| SHA512 | f85f57d9299f4dafc3b5101af37d6f4c57ae8db23fa1a6aa1b2df37ae655d157b16b4177b9f6e45d0497a14b56451d37e123e6225ca4ed44070183d182ad563e |
memory/2664-492-0x0000000000660000-0x0000000000760000-memory.dmp
memory/2664-498-0x0000000000400000-0x000000000062D000-memory.dmp
memory/2664-493-0x0000000002230000-0x000000000224B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe
| MD5 | d7aeecab94f3a49c7bdc05ee22e89e5d |
| SHA1 | b64a161bcd582761041e5bbad0b31f3cd837d339 |
| SHA256 | ac7a49c3f88058137f14d8e4bcc87817557e9dad9f8b227b0a6268c450fb25e3 |
| SHA512 | 5c10d4d83d6bd8585aababcbd3bf938761d7426f441847255c0777e32bf3acc8095a9de01e3d162555d52204871bdb1a2bb0b29a0a29e9d2102c57594e559c71 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ms4RE65.exe
| MD5 | d7aeecab94f3a49c7bdc05ee22e89e5d |
| SHA1 | b64a161bcd582761041e5bbad0b31f3cd837d339 |
| SHA256 | ac7a49c3f88058137f14d8e4bcc87817557e9dad9f8b227b0a6268c450fb25e3 |
| SHA512 | 5c10d4d83d6bd8585aababcbd3bf938761d7426f441847255c0777e32bf3acc8095a9de01e3d162555d52204871bdb1a2bb0b29a0a29e9d2102c57594e559c71 |
memory/3712-506-0x0000000004980000-0x0000000004A9B000-memory.dmp
memory/3712-501-0x00000000048D0000-0x0000000004972000-memory.dmp
memory/3208-500-0x0000000000220000-0x0000000000853000-memory.dmp
memory/1080-499-0x0000000000400000-0x0000000000AFF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe
| MD5 | 7b62f9bc9fc92387a927fcfa11ad0997 |
| SHA1 | e94bd0f1eefcfb77c8b2ffa9bdfe89334b089a09 |
| SHA256 | bfffd12bbba4529429d4ab0b99ee51c37b2efb06466b52e0119160c40c72c561 |
| SHA512 | db6ee30b259605890c5ba2f7f274183e00a6fa0f2243ecf0597d09e452b9ec4e69becb16781431a37e134f146fcd5345eb33ffead26ae1b171a86a370983b337 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\dR2lN11.exe
| MD5 | 7b62f9bc9fc92387a927fcfa11ad0997 |
| SHA1 | e94bd0f1eefcfb77c8b2ffa9bdfe89334b089a09 |
| SHA256 | bfffd12bbba4529429d4ab0b99ee51c37b2efb06466b52e0119160c40c72c561 |
| SHA512 | db6ee30b259605890c5ba2f7f274183e00a6fa0f2243ecf0597d09e452b9ec4e69becb16781431a37e134f146fcd5345eb33ffead26ae1b171a86a370983b337 |
memory/2124-522-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2124-526-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe
| MD5 | 9762e55417ed8050ded2b7c0d80432bb |
| SHA1 | 049ba48f86aef3fa7f5188852d4a1a9a963011fa |
| SHA256 | db7be53e4df05b0d1f02875167203f118704b0845cd6e89b9e52c1fcb9fa0e94 |
| SHA512 | 2362f22455ceb41a31a80629c9c7ca50f34fa7ff4373bb9b503a4e4537ba753001489b92bc4664ce466f322e96e26a7a444b7455aa5a748691e0194224ce53c3 |
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Qv0FO94.exe
| MD5 | 9762e55417ed8050ded2b7c0d80432bb |
| SHA1 | 049ba48f86aef3fa7f5188852d4a1a9a963011fa |
| SHA256 | db7be53e4df05b0d1f02875167203f118704b0845cd6e89b9e52c1fcb9fa0e94 |
| SHA512 | 2362f22455ceb41a31a80629c9c7ca50f34fa7ff4373bb9b503a4e4537ba753001489b92bc4664ce466f322e96e26a7a444b7455aa5a748691e0194224ce53c3 |
memory/2664-524-0x0000000000400000-0x000000000062D000-memory.dmp
memory/3172-521-0x0000000073F70000-0x0000000074720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe
| MD5 | 706c9ecb2ea239f2db2e6bb7666acb79 |
| SHA1 | de7890e32b8561a71b821c34d4996c019e5b9e60 |
| SHA256 | 69f5f6d4bad5a96db86d14a2f2176e8dde7ca4827d2c105d7ea76aa306a0e267 |
| SHA512 | c793c2770bf3e1d7d4d65ae840027416875fafe30543a22177405b1643726137ab0e64d4dfe30b42a68baf508bafc379358166c4af75ab4e7fe8d863e26dcca4 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\Dh8Ii58.exe
| MD5 | 706c9ecb2ea239f2db2e6bb7666acb79 |
| SHA1 | de7890e32b8561a71b821c34d4996c019e5b9e60 |
| SHA256 | 69f5f6d4bad5a96db86d14a2f2176e8dde7ca4827d2c105d7ea76aa306a0e267 |
| SHA512 | c793c2770bf3e1d7d4d65ae840027416875fafe30543a22177405b1643726137ab0e64d4dfe30b42a68baf508bafc379358166c4af75ab4e7fe8d863e26dcca4 |
memory/3172-545-0x00000000003B0000-0x000000000040A000-memory.dmp
memory/1080-541-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/2124-533-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2124-546-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1080-547-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
memory/1080-548-0x0000000000C80000-0x0000000000C81000-memory.dmp
memory/1080-550-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/1080-551-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
memory/1080-549-0x0000000000400000-0x0000000000AFF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe
| MD5 | a07f1de1c9774d5a490b599e98a87928 |
| SHA1 | 2e89540d18db9fc57132372abad292db56697b22 |
| SHA256 | 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb |
| SHA512 | 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1LY72dM9.exe
| MD5 | a07f1de1c9774d5a490b599e98a87928 |
| SHA1 | 2e89540d18db9fc57132372abad292db56697b22 |
| SHA256 | 4d39a22a2ac96eba80c0f05c8f198a8f62d49ec226a658ca9a4026f96a7799bb |
| SHA512 | 9d2366b0e427dde753c065430ae26ece060b70df1e6369e178a945e83efa0aec72e5d6ed236d41c09e342ec7f5040173d1d7edb46e3d1fe5877b60263747fb81 |
memory/1080-555-0x0000000002880000-0x0000000002881000-memory.dmp
memory/1080-557-0x0000000002890000-0x0000000002891000-memory.dmp
memory/3788-556-0x0000000073F70000-0x0000000074720000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\s3suuZ8toR5yG6sFmXtccpZT.exe
| MD5 | df71a06b859776129a744f9dbfddc401 |
| SHA1 | a8823e2b086fc4c9e5b148ad6cd29f095da05337 |
| SHA256 | d2fb526d868cb4488157564ae891059160b4349d550a291398b3d48ae28b2681 |
| SHA512 | 76fe69a046f470ca013af39c92a40fff7d6b7a7ad236ea9466d87bbdeac3537d2f1a7544ee5eb1bf179506b780ba0c5fc05f45146befbab12bca1144f21362df |
memory/3788-553-0x00000000020C0000-0x00000000020E0000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\78mCmut1q31KKLEjZwPM_IRi.exe
| MD5 | b9a096baebdf8e44368e9724da8e56dd |
| SHA1 | f9873fa92ae8b75e23e353f43ae1ba9087edebfc |
| SHA256 | 2157d146a890d32c5ba49f31fa1840e5b0d56e4dd0bbf5f8b14cc4e482a47bef |
| SHA512 | f17ee70d827fba12de17062add350df0803009e5b930a0f0a7891e6bf64f0df8f443355ec72ae332aed3b37d24f40c78e0a559040e45994e02e3a5ad71624b08 |
memory/2680-558-0x0000000001BC0000-0x0000000001BC1000-memory.dmp
memory/2680-563-0x0000000001BE0000-0x0000000001BE1000-memory.dmp
memory/2680-566-0x0000000000ED0000-0x0000000001A9C000-memory.dmp
memory/2664-568-0x0000000000400000-0x000000000062D000-memory.dmp
memory/2680-565-0x0000000001BF0000-0x0000000001BF1000-memory.dmp
memory/2680-561-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
memory/2680-567-0x0000000001EF0000-0x0000000001EF1000-memory.dmp
memory/2680-570-0x0000000001F00000-0x0000000001F01000-memory.dmp
memory/2680-572-0x0000000001F10000-0x0000000001F11000-memory.dmp
memory/3172-571-0x0000000007680000-0x0000000007C24000-memory.dmp
memory/1080-560-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/3788-574-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
memory/3172-577-0x00000000071B0000-0x0000000007242000-memory.dmp
memory/3788-578-0x0000000004AC0000-0x0000000004AD0000-memory.dmp
memory/3788-576-0x0000000004990000-0x00000000049AE000-memory.dmp
memory/1080-579-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/1088-581-0x00000000013F0000-0x00000000013F1000-memory.dmp
memory/1088-582-0x0000000001400000-0x0000000001401000-memory.dmp
memory/1088-585-0x0000000001410000-0x0000000001411000-memory.dmp
memory/1088-587-0x00000000002B0000-0x0000000000DF4000-memory.dmp
memory/2664-589-0x0000000000660000-0x0000000000760000-memory.dmp
memory/1088-590-0x0000000002E00000-0x0000000002E01000-memory.dmp
memory/1088-591-0x0000000002E10000-0x0000000002E11000-memory.dmp
memory/1088-588-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
memory/1088-586-0x0000000001420000-0x0000000001421000-memory.dmp
memory/3172-595-0x0000000007380000-0x0000000007390000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570
| MD5 | 64515a2df5a7b2a8a03788f34c9b891f |
| SHA1 | 23863bb875239087e30ba8424d925488907f4b11 |
| SHA256 | e2bb94593f7b539e2dda2dcd892db8480daa20218d21838d11a65ee4fd3a0697 |
| SHA512 | 1bd5e5387d5988ff7b314c585b7f87f084465bbbcd2070314762853742d5a6bfeda40bbcb2c8ccdcf5be40b3441b069f9bec80cf967fd8556121496d3bf581fb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570
| MD5 | 9aaf7ff0ca90106627178fc1dd4c0f8c |
| SHA1 | 2f4ced9e628c15cf73d36ffef61fe02d3080d7e8 |
| SHA256 | d337190207ee87fc6a64d2bb46eec78c0b05df32dc755f897a3909ca5aaa3e38 |
| SHA512 | 7bfa2245a1c1680f2f09a52903cc2dedc6818f27e21010c1273795853882b9beeaaed9f8140756958364b66ce12e3603d8e8e41816e016d438e818606080e288 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
| MD5 | c766d641712a061c5d17454d17595d58 |
| SHA1 | 4cfefbc7797c5027ef39bf95fc7fff0e8f2085f1 |
| SHA256 | b4c954d2e45fc86dcd4efefcfefa0362a6e09be80099acba3505d9527b1e1346 |
| SHA512 | 7c79ed21a39d72adf5c918f975c3f8d2f04d4dffbed29e587221d8bcffeafddde45dd71a0da27d3d87b88a22efb9e54cdd504b4b78d4294daed7bc75b494d881 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
| MD5 | 2be7b09046db719d78e1f4922d29f025 |
| SHA1 | 41f3344c901e61c0095f41278f876ba1147bf953 |
| SHA256 | 63b8169a455355ae67a91e7214fad7cff0e73d16150398fa53ca3260797b7aaf |
| SHA512 | fd8bcba2d225b84aa3d5309695487b911e0f4cc03e90846594c0514882ef6c929a6b010065caacbd5bc41b7ed2a6679fff331d7ba509ae6099b2932edb317720 |
memory/2664-604-0x0000000000400000-0x000000000062D000-memory.dmp
memory/3172-608-0x00000000071A0000-0x00000000071AA000-memory.dmp
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 93b3886bce89b59632cb37c0590af8a6 |
| SHA1 | 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137 |
| SHA256 | 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f |
| SHA512 | fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/3172-623-0x0000000008250000-0x0000000008868000-memory.dmp
memory/3172-624-0x0000000007540000-0x0000000007552000-memory.dmp
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
memory/3172-627-0x0000000007D40000-0x0000000007E4A000-memory.dmp
memory/2664-628-0x0000000000400000-0x000000000062D000-memory.dmp
memory/3172-629-0x0000000073F70000-0x0000000074720000-memory.dmp
memory/2124-630-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2664-631-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3172-636-0x00000000075D0000-0x000000000760C000-memory.dmp
memory/1080-642-0x0000000000400000-0x0000000000AFF000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe
| MD5 | f0033521f40c06dec473854c7d98fa8b |
| SHA1 | 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a |
| SHA256 | 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e |
| SHA512 | f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217 |
memory/1080-652-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/3172-656-0x0000000007610000-0x000000000765C000-memory.dmp
memory/3788-662-0x0000000073F70000-0x0000000074720000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe
| MD5 | cb0601eb9b5477c4c1c3a64043e00fea |
| SHA1 | f84e149933d290a9701a613307754e65c587dfd4 |
| SHA256 | bfad3237e4715387d1eb9871aea201ff23c2ec2af010165d813683ca7f8be34c |
| SHA512 | bae89a763dd318fd674b3149ed1de48f92eb2d43d892ea3ae0c69c9b2acb507445fac657e9d9f2c92400a9579cead8d14f24165420dbbf70c78d5d1c473c5d5a |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2dN8469.exe
| MD5 | cb0601eb9b5477c4c1c3a64043e00fea |
| SHA1 | f84e149933d290a9701a613307754e65c587dfd4 |
| SHA256 | bfad3237e4715387d1eb9871aea201ff23c2ec2af010165d813683ca7f8be34c |
| SHA512 | bae89a763dd318fd674b3149ed1de48f92eb2d43d892ea3ae0c69c9b2acb507445fac657e9d9f2c92400a9579cead8d14f24165420dbbf70c78d5d1c473c5d5a |
memory/2680-683-0x0000000000ED0000-0x0000000001A9C000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E1993F15A3402D743FF8169CEB684DD3
| MD5 | d7c025b48fe3c05dc6606486256bea05 |
| SHA1 | 0625ecf298d0a6acf25a6471bf5a555d0901b895 |
| SHA256 | a489dc6e28fdcae4e92daf4e6a926856714ce32fbaa3fea6f00a0fb0e5e0e648 |
| SHA512 | 2355277be5e8c4a9b72f3f1e13d6c398bcd92d4d00d90bb5fe69d8406a6c75a774f386277623feda4cfca4a9c736e906c7ef38a4961816c55b4ae260010a4594 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E1993F15A3402D743FF8169CEB684DD3
| MD5 | ed5ba5e5d425e7baad53995722b8c2d1 |
| SHA1 | af4a6a5efe1bcf5d7dad2b0ecbc5fea7ccd6ef5e |
| SHA256 | e82f4e7544d9f5a201d9217c9ad0ffc7f00482e1464e322905003ef156c3183a |
| SHA512 | c572284a7f70df62bcb19a2140d8dfa84e24f4132ba9b47f07b91e3a3f50ec7654cbe87647f822c956aa6538aacd8f51b052784a626d82a30701ddfe1441d760 |
C:\Users\Admin\AppData\Local\Temp\tempAVSf6lsux2K1te_\8ghN89CsjOW1Login Data For Account
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tempAVSf6lsux2K1te_\JX0OQi4nZtiqWeb Data
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tempAVSf6lsux2K1te_\D87fZN3R3jFeWeb Data
| MD5 | 5b39e7698deffeb690fbd206e7640238 |
| SHA1 | 327f6e6b5d84a0285eefe9914a067e9b51251863 |
| SHA256 | 53209f64c96b342ff3493441cefa4f49d50f028bd1e5cc45fe1d8b4c9d9a38f8 |
| SHA512 | f1f9bc156af008b9686d5e76f41c40e5186f563f416c73c3205e6242b41539516b02f62a1d9f6bcc608ccde759c81def339ccd1633bc8acdd6a69dc4a6477cc7 |
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
| MD5 | a102cea468c6316f61d17d489d8c3a81 |
| SHA1 | c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf |
| SHA256 | 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365 |
| SHA512 | ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86 |
memory/1088-756-0x00000000002B0000-0x0000000000DF4000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
| MD5 | a102cea468c6316f61d17d489d8c3a81 |
| SHA1 | c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf |
| SHA256 | 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365 |
| SHA512 | ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86 |
C:\Users\Admin\AppData\Local\Temp\tempCMSf6lsux2K1te_\information.txt
| MD5 | af8d18b0092aba6a36cc0783c07c1bac |
| SHA1 | ee2986930877e1c5c1089639c76b4086f84db79a |
| SHA256 | d297e09bdc631c5c80f0510bbf0ce40b9b7ddd381dc3c272349b8243f9510a2c |
| SHA512 | c239689352a0b8221deb11fa8ef8d495180706f230d825b2ba75c94561cc3c4bdc2d417cef0605d7b38148b363cfe38849dfb580c178c7caa86e37617a7b975f |
memory/2680-786-0x0000000000ED0000-0x0000000001A9C000-memory.dmp
memory/3172-787-0x0000000007380000-0x0000000007390000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe
| MD5 | 93a83c35a0febf8376a76d36f8f3e1c1 |
| SHA1 | c112ccfcfe63a72595cba83d9c4f815c5f4b36a4 |
| SHA256 | 3fb9b791cb2d5ae79b9332be3b78048c98e957c0804b1f28cdd6f3d0e222f7cc |
| SHA512 | 428a8e3acb890749e3fe81f3e6ba320f55483bb85ec25d6d1f3ddd83bf66e3b6c825f3eac62923350b6db1b94de352564a423dd8a33ea6b7d75b3fbc7ed84f11 |
memory/2940-790-0x0000000000330000-0x0000000000851000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
memory/1080-800-0x0000000000400000-0x0000000000AFF000-memory.dmp
memory/2124-858-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe
| MD5 | f0033521f40c06dec473854c7d98fa8b |
| SHA1 | 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a |
| SHA256 | 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e |
| SHA512 | f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217 |
C:\Users\Admin\Pictures\Minor Policy\pLFkWHfL7rt_NoRn4GCeHrVB.exe
| MD5 | f0033521f40c06dec473854c7d98fa8b |
| SHA1 | 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a |
| SHA256 | 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e |
| SHA512 | f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217 |
memory/2940-867-0x0000000077174000-0x0000000077176000-memory.dmp
memory/3172-872-0x0000000000B30000-0x0000000000B96000-memory.dmp
C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
| MD5 | a102cea468c6316f61d17d489d8c3a81 |
| SHA1 | c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf |
| SHA256 | 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365 |
| SHA512 | ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86 |
C:\Users\Admin\Pictures\Minor Policy\ngUAbeTU_97fB85wK7a56Jib.exe
| MD5 | 93a83c35a0febf8376a76d36f8f3e1c1 |
| SHA1 | c112ccfcfe63a72595cba83d9c4f815c5f4b36a4 |
| SHA256 | 3fb9b791cb2d5ae79b9332be3b78048c98e957c0804b1f28cdd6f3d0e222f7cc |
| SHA512 | 428a8e3acb890749e3fe81f3e6ba320f55483bb85ec25d6d1f3ddd83bf66e3b6c825f3eac62923350b6db1b94de352564a423dd8a33ea6b7d75b3fbc7ed84f11 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk
| MD5 | 2402b00a7bbf7834aaac466c7470a795 |
| SHA1 | 4b254e7b9522e397896dea605a9b3eef4e4873e2 |
| SHA256 | ae8a928c3296de2235f5773e62fe552cd4384af42ad25f98dcbd56387191d2b6 |
| SHA512 | 8ef9581be236d38c0134f0b43423c65a6605ccf1acb6bcdf307e90b98205e5d86fff18f8891463c4c91de2fbc727bc41190eb000dc2d829353fc8c1239f014d5 |
C:\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe
| MD5 | a102cea468c6316f61d17d489d8c3a81 |
| SHA1 | c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf |
| SHA256 | 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365 |
| SHA512 | ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86 |
C:\Users\Admin\AppData\Local\ExtreamFanV5\ExtreamFanV5.exe
| MD5 | a102cea468c6316f61d17d489d8c3a81 |
| SHA1 | c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf |
| SHA256 | 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365 |
| SHA512 | ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86 |
C:\Users\Admin\Pictures\Minor Policy\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
memory/1812-894-0x00000000047F0000-0x0000000004882000-memory.dmp
C:\Users\Admin\Pictures\Minor Policy\rdhZN9I3cWFI4VEF12CLk6S5.exe
| MD5 | a102cea468c6316f61d17d489d8c3a81 |
| SHA1 | c3ed086200b03fe56c9f67ee548ebe2f1ac0f2cf |
| SHA256 | 75c0e005fbf106e0a74db8c2817946b9d6f4f574346802d0f0ae1b83deade365 |
| SHA512 | ba8d100470545cab99b9e24c40ce254679e038e9191ae1b14ab14eeec409a783aa9903589f74940a53a50e7b05fde6ad72560a39861957d5053bec00bf26de86 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\HCFBFBAEBKJKEBGCAEHCFCBAEH
| MD5 | 60e20377222685886431e0cef3103548 |
| SHA1 | c049f3925bb263197ca81ba5978bde8e80385095 |
| SHA256 | 80e6ef4efb13a72e98769c04c3b726a42a369e3185758d6cacd6e661124fa42a |
| SHA512 | eceda0208a20a89c15577e1c702671816d5e782e62e9d41b2782f768f1748a8d8f52a3b8dd8fa140c80e2311e55db75613d21a15d4d3378f8ada05ae9d5e90f0 |
memory/3172-919-0x00000000096B0000-0x0000000009726000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | f0033521f40c06dec473854c7d98fa8b |
| SHA1 | 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a |
| SHA256 | 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e |
| SHA512 | f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217 |
C:\Users\Admin\AppData\Local\Temp\207aa4515d\oneetx.exe
| MD5 | f0033521f40c06dec473854c7d98fa8b |
| SHA1 | 28dadfe642a0c308e1f744b0d87a6d22dd6cd55a |
| SHA256 | 4458a9df5275bedd921127f4ff9dc63d4ac107f2e89cf46969e96f4c43d9f93e |
| SHA512 | f6758814fd20b613fe6f3df7a0a60488dcae59680c3487344a701f59dca972acbb1dd8041bd3fa8d3f97279193796dab9c7f98f1cab3e25686ca34c65e349217 |
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
memory/2940-934-0x0000000000330000-0x0000000000851000-memory.dmp
memory/3672-936-0x00000000048F0000-0x0000000004986000-memory.dmp
memory/3172-937-0x0000000008CD0000-0x0000000008CEE000-memory.dmp
C:\Users\Admin\AppData\Local\50678fd5-df62-4d8b-810d-d2a8ed16a1f1\xXyQiNG_qhmki3RUDDNIRPh8.exe
| MD5 | 15a8142992786ff28bb79fb2b7d47f6e |
| SHA1 | c5fb299009599c93fef087734e13f1dc195f8ec1 |
| SHA256 | 9a203a1f050818238d950b70465e679c6475cf974e7c823d188645ba6aec01ae |
| SHA512 | aba1c44e1e893364a7e9f0f896d205c24949f77a3d0a64dd7883768a5e3ee43771812fe7ec57dcbc39fd218b643f621f11f7738e0c1be2cd647f353b8b245743 |
memory/756-942-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000356001\toolspub2.exe
| MD5 | 627f02d5e9dde53111a2953059db9372 |
| SHA1 | ffed5b0eda9791c42fa928111fcc973c0682a585 |
| SHA256 | bfc09d350d8bcedb1dbaddcf85e4a993907ac0dceba795556947312855d9a7cd |
| SHA512 | 01a286dcc7196a187f44c1143ad53bbc43556f5c9338003bd9291f40105378bab60e569a0ee8d5f6f28c41ad6e131423e02666818bfc058e166f555579bef1ab |
memory/3144-969-0x000002680B200000-0x000002680B222000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jtnroi3l.wdb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3144-970-0x00007FFE3A6E0000-0x00007FFE3B1A1000-memory.dmp
memory/3144-972-0x0000026823760000-0x0000026823770000-memory.dmp
memory/3144-977-0x0000026823760000-0x0000026823770000-memory.dmp
memory/4140-978-0x0000000000840000-0x0000000000940000-memory.dmp
memory/4140-980-0x0000000000810000-0x0000000000819000-memory.dmp
memory/3144-981-0x0000026823760000-0x0000026823770000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4536-986-0x0000000000400000-0x0000000000409000-memory.dmp
memory/756-993-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3144-994-0x0000026823760000-0x0000026823770000-memory.dmp
memory/3144-1001-0x00007FFE3A6E0000-0x00007FFE3B1A1000-memory.dmp
memory/4536-1034-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3172-1038-0x0000000009780000-0x00000000097D0000-memory.dmp
memory/3172-1047-0x00000000099A0000-0x0000000009B62000-memory.dmp
memory/3172-1056-0x000000000A0A0000-0x000000000A5CC000-memory.dmp
memory/4668-1061-0x00007FFE3A6E0000-0x00007FFE3B1A1000-memory.dmp
memory/4668-1062-0x000001EE7ED90000-0x000001EE7EDA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000357001\e0cbefcb1af40c7d4aff4aca26621a98.exe
| MD5 | fa0f9adea2e58ed44c52716416964850 |
| SHA1 | 07d4df5af7cc0c1e43d8b4a88798f2f5f84e8b31 |
| SHA256 | df75b62e373e0b91f26384b21aaa8e4dc86c13078cec7e32ad595d0c86d3fedb |
| SHA512 | 63f476c5e212d67eefe8723c21a65a7c5ccaea543cb8901410c6ed1378a7b0d8e0a130dab08d59ecc09dc3feac4282aebdf645d2f9cfd330224f2f161dad4185 |
C:\Users\Admin\AppData\Local\Temp\orm6k3UPjyk7pHiE6lmOcRAp.exe
| MD5 | a7ee1f4bf11bdfab2327d098c6583af1 |
| SHA1 | b59a2989c0f48597f691d3ead8f549f2327c6d0a |
| SHA256 | d74686c87f0777d1e8c4fcc18b40fe3ce97d6e531e23b6665037e5599b72aa32 |
| SHA512 | b9d4c65a167ccd15891c97ebcdbe02e46d1411c13284c986039c4e172cf7cfbd450aab80af71f95d13c001a39ff0a01a44288f19b6432a08c0bd32895d7a8ec9 |
C:\Users\Admin\AppData\Local\Temp\1000358001\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Temp\D7D0.bat
| MD5 | 55cc761bf3429324e5a0095cab002113 |
| SHA1 | 2cc1ef4542a4e92d4158ab3978425d517fafd16d |
| SHA256 | d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a |
| SHA512 | 33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155 |