Analysis Overview
SHA256
3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03
Threat Level: Known bad
The file NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Detected Djvu ransomware
RedLine payload
Windows security bypass
Vidar
Amadey
Glupteba
RedLine
NetSupport
Djvu Ransomware
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Windows security modification
Checks computer location settings
Themida packer
Deletes itself
Executes dropped EXE
Modifies file permissions
Accesses 2FA software files, possible credential harvesting
Enumerates connected drives
Looks up external IP address via web service
Adds Run key to start application
Accesses Microsoft Outlook profiles
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Modifies system certificate store
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
outlook_win_path
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: MapViewOfSection
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious use of UnmapMainImage
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 16:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 16:57
Reported
2023-10-17 17:00
Platform
win7-20230831-en
Max time kernel
156s
Max time network
164s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2772 created 1196 | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | C:\Windows\Explorer.EXE |
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\48D8.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\AAC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\AAC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\AAC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\48D8.exe = "0" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
Accesses 2FA software files, possible credential harvesting
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\05890259-5c32-4fc3-8a07-ab1ce4095753\\8D.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\8D.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\AAC.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AAC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20231017165907.cab | C:\Windows\system32\makecab.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\steawjg | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\steawjg | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\steawjg | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\steawjg | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\48D8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AAC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\8D.exe
C:\Users\Admin\AppData\Local\Temp\8D.exe
C:\Users\Admin\AppData\Local\Temp\8D.exe
C:\Users\Admin\AppData\Local\Temp\8D.exe
C:\Users\Admin\AppData\Local\Temp\AAC.exe
C:\Users\Admin\AppData\Local\Temp\AAC.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F3F.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\F3F.dll
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\05890259-5c32-4fc3-8a07-ab1ce4095753" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\1883.exe
C:\Users\Admin\AppData\Local\Temp\1883.exe
C:\Users\Admin\AppData\Local\Temp\214A.exe
C:\Users\Admin\AppData\Local\Temp\214A.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\48D8.exe
C:\Users\Admin\AppData\Local\Temp\48D8.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\8D.exe
"C:\Users\Admin\AppData\Local\Temp\8D.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\8D.exe
"C:\Users\Admin\AppData\Local\Temp\8D.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017165907.log C:\Windows\Logs\CBS\CbsPersist_20231017165907.cab
C:\Users\Admin\AppData\Local\Temp\48D8.exe
"C:\Users\Admin\AppData\Local\Temp\48D8.exe"
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
"C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe"
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
"C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe"
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
"C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe"
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
"C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {2B03D980-6979-49F5-9479-92F8263F130F} S-1-5-21-3750544865-3773649541-1858556521-1000:XOCYHKRS\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Roaming\steawjg
C:\Users\Admin\AppData\Roaming\steawjg
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| HU | 84.224.231.39:80 | zexeq.com | tcp |
| MX | 201.124.243.137:80 | colisumy.com | tcp |
| FR | 51.254.67.186:16176 | tcp | |
| HU | 84.224.231.39:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 49.12.118.149:80 | 49.12.118.149 | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 42008c39-e272-4c0d-8a56-9d04d8c1006c.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
Files
memory/3028-1-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/3028-2-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/3028-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/3028-5-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/1196-4-0x0000000002B40000-0x0000000002B56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2776-20-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2776-21-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2776-22-0x00000000002E0000-0x00000000003FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2776-29-0x0000000000220000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2620-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2620-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AAC.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/2472-37-0x0000000000DB0000-0x0000000001558000-memory.dmp
memory/2472-38-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-39-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-40-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-41-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-43-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-42-0x0000000076F80000-0x0000000076FC7000-memory.dmp
memory/2472-46-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-50-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-48-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-47-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-51-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-56-0x0000000076F80000-0x0000000076FC7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F3F.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/2472-52-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-59-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-58-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-60-0x0000000076F80000-0x0000000076FC7000-memory.dmp
memory/2472-61-0x0000000075560000-0x0000000075670000-memory.dmp
\Users\Admin\AppData\Local\Temp\F3F.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/2472-67-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-75-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-76-0x0000000000DB0000-0x0000000001558000-memory.dmp
memory/2472-78-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2824-74-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/2472-79-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-80-0x0000000077660000-0x0000000077662000-memory.dmp
memory/2472-85-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/2824-90-0x0000000000140000-0x0000000000146000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1883.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
C:\Users\Admin\AppData\Local\Temp\1883.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/2620-93-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\214A.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2824-98-0x0000000002340000-0x000000000245B000-memory.dmp
memory/2824-99-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/2472-100-0x0000000000DB0000-0x0000000001558000-memory.dmp
memory/2472-101-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-103-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2824-102-0x0000000002460000-0x000000000255F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\214A.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2824-107-0x0000000002460000-0x000000000255F000-memory.dmp
memory/2824-108-0x0000000002460000-0x000000000255F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2472-111-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-112-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-114-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-113-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-115-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2472-116-0x0000000075560000-0x0000000075670000-memory.dmp
C:\Users\Admin\AppData\Local\05890259-5c32-4fc3-8a07-ab1ce4095753\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1492-123-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1492-125-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1492-131-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48D8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/1492-126-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1492-135-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1492-134-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48D8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2056-138-0x00000000026F0000-0x0000000002AE8000-memory.dmp
memory/1492-142-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2472-140-0x0000000075560000-0x0000000075670000-memory.dmp
memory/1492-144-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/2472-143-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/1492-139-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2472-137-0x0000000075560000-0x0000000075670000-memory.dmp
memory/2056-146-0x00000000026F0000-0x0000000002AE8000-memory.dmp
memory/2056-147-0x0000000002AF0000-0x00000000033DB000-memory.dmp
memory/2056-148-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/980-151-0x00000000001A0000-0x0000000000215000-memory.dmp
memory/980-150-0x0000000000130000-0x000000000019B000-memory.dmp
memory/980-152-0x0000000000130000-0x000000000019B000-memory.dmp
\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2620-168-0x0000000000400000-0x0000000000537000-memory.dmp
memory/980-167-0x0000000000130000-0x000000000019B000-memory.dmp
memory/1052-172-0x0000000000320000-0x00000000003B2000-memory.dmp
memory/2472-173-0x00000000054B0000-0x00000000054F0000-memory.dmp
memory/676-176-0x0000000000060000-0x000000000006C000-memory.dmp
memory/676-177-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1492-174-0x0000000007060000-0x00000000070A0000-memory.dmp
\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1492-178-0x00000000741F0000-0x00000000748DE000-memory.dmp
memory/2056-182-0x00000000026F0000-0x0000000002AE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8D.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1052-183-0x0000000000320000-0x00000000003B2000-memory.dmp
memory/2056-188-0x0000000002AF0000-0x00000000033DB000-memory.dmp
memory/2004-189-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48D8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7f12fe99a1083397b2a705efa04224c1 |
| SHA1 | 4801b47f3b59337458ba41466acbe82dc7dba306 |
| SHA256 | 4bb6513ac2ed1f5f6056de69eae1db5de3b6a279305167a83a48be2b489fda2a |
| SHA512 | dbfa88401e7bc04c34c622957614205ab49e54181e048c6337a3312e8e7d2252035ca1cea2b6d7282dea84af27473c50ac7c470e354b8b81480efa11a0cbf65d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | c074e58c611ff67aa4fa4a9fe629e2cf |
| SHA1 | 6606920ab2e73ff072d132a6bff224f849eb7cc2 |
| SHA256 | 30ad617903ca0da1c8d42cae552a178000c6a19b30ab1b5a095de5ec05bc9a1b |
| SHA512 | ded23e3b02c43104590aa2f6841643d8ce9497d960069158a1483a9a653ea60e93a0063d3c3636f8e1327e4045c00359c2cbaf35bd1d1d6083dfdbea1812628f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0268ef551139ac7672a96e6658ce044a |
| SHA1 | b005ca526faa872c8e0aeafd11e3335c28c16037 |
| SHA256 | 417ec67ee533de68e2008cc547552d33878e0d9bedd6ceaf5572d37112bb036a |
| SHA512 | 5405872c99f9f88596d39057d8701ba360b498d8bbb5eb64cd5af5f8f1100e0ecdaf09ad811aa0b3fc92ddfcef05d1a14e6495868e4995af049cd3be0247860d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f33af948e630c6fa4404845998d3cd7 |
| SHA1 | 0de4224b8b79c7c4b9b8d716907e5ddcca4ea39d |
| SHA256 | 9cfb75c8fe55f4f57cfce1879f09a339af79c66bae13b9ca422a896794100884 |
| SHA512 | 0cff6d80b495a25631d7c5d1beba8269338cdebac9578b0cbc4dd9f5e7a647f9feed2497fd78c6938f6549b42bea4da895ecaa2f6568f17e1a216caf010f3d3e |
C:\Users\Admin\AppData\Local\Temp\Cab626B.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
memory/2056-203-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2004-204-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-205-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2056-206-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2004-210-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-213-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2004-212-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2472-214-0x00000000054B0000-0x00000000054F0000-memory.dmp
memory/1492-215-0x0000000007060000-0x00000000070A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48D8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2056-217-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2800-218-0x0000000002660000-0x0000000002A58000-memory.dmp
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/2004-244-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/2004-233-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/1556-252-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1556-254-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/1556-257-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2472-260-0x00000000006F0000-0x0000000000705000-memory.dmp
memory/2472-261-0x00000000006F0000-0x0000000000705000-memory.dmp
memory/2472-263-0x00000000006F0000-0x0000000000705000-memory.dmp
memory/2472-265-0x00000000006F0000-0x0000000000705000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar8C0B.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\d497a025-5847-44c6-82c9-0678be106ba1\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\ProgramData\54061738205553016364803622
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 332ab1a09f565c6379553b1ace8b4469 |
| SHA1 | ca7d341bd0bdeefb0fe7d033ce90edc79d5f5574 |
| SHA256 | 1157e16b2239f70949a43053d312e66cb82b98d9f1ca344b9204c46eb5cf3858 |
| SHA512 | 3fa81830c8736bd90ddc7e468a8a99c0003e111e9fc0c7b63cb27eb7c25edd4ab51c5368f8217440eda31145fb2b4564598e556b94cb299b857baee75afdb703 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1f4e27e3d7c07d187c9de711923b927 |
| SHA1 | 905c3aa1cf162a0a48ae9a0b42b9a7585178ff22 |
| SHA256 | d8ae3572fafaa9bb5d8cc4650a5ee24969da6d18498278ca5bf23846b2549ebc |
| SHA512 | 15819bf30ead52505bc1cfcf28ddbe7e5087483ad8d0e5da92ccbfc9aaf92a158df2f2aa5118ef277c1569c98c10c8e78e74f51ebee66d9b5febf4a1167882d6 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Roaming\steawjg
| MD5 | e4f413040b9aa0bd42bac9126ae1b32e |
| SHA1 | 02459e40fd2bbcfbcfa578a9e1090092833b3742 |
| SHA256 | 3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03 |
| SHA512 | 19f0e4f676b7e59e094ed09231af1b7e60c762a3d66124a4a449e642a515ad669504bb3a4559172ba1345a5f58f02884734facc3fbdafedf64406f79e8d547ca |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Roaming\steawjg
| MD5 | e4f413040b9aa0bd42bac9126ae1b32e |
| SHA1 | 02459e40fd2bbcfbcfa578a9e1090092833b3742 |
| SHA256 | 3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03 |
| SHA512 | 19f0e4f676b7e59e094ed09231af1b7e60c762a3d66124a4a449e642a515ad669504bb3a4559172ba1345a5f58f02884734facc3fbdafedf64406f79e8d547ca |
\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 20a8c535acbdc9e99c124e80b755b6cb |
| SHA1 | 108c764549a52d4b2df9b57aabc3840bb9ae35cb |
| SHA256 | b77231523fa200d0aa4d7ed4f430218654ad2256fe82ce6703a50d7d98e3ba9a |
| SHA512 | 16b6bad7b8d964a7a29a9d6d91d17cee56d8bf4ca70b30dc9a87758894fb9bca725138fe955d28b15e1a372ae4969d95feda3fe9d442eeca2fc1863bfc739677 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 20a8c535acbdc9e99c124e80b755b6cb |
| SHA1 | 108c764549a52d4b2df9b57aabc3840bb9ae35cb |
| SHA256 | b77231523fa200d0aa4d7ed4f430218654ad2256fe82ce6703a50d7d98e3ba9a |
| SHA512 | 16b6bad7b8d964a7a29a9d6d91d17cee56d8bf4ca70b30dc9a87758894fb9bca725138fe955d28b15e1a372ae4969d95feda3fe9d442eeca2fc1863bfc739677 |
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 16:57
Reported
2023-10-17 17:01
Platform
win10v2004-20230915-en
Max time kernel
116s
Max time network
151s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NetSupport
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2120.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2120.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\2120.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1E41.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2AB9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\3ea3def4-d4d9-4485-8f7f-eab4d9c394ca\\1E41.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\1E41.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\2120.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2120.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4948 set thread context of 4024 | N/A | C:\Users\Admin\AppData\Local\Temp\1E41.exe | C:\Users\Admin\AppData\Local\Temp\1E41.exe |
| PID 4752 set thread context of 1512 | N/A | C:\Users\Admin\AppData\Local\Temp\2624.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 60 set thread context of 3432 | N/A | C:\Users\Admin\AppData\Local\Temp\1E41.exe | C:\Users\Admin\AppData\Local\Temp\1E41.exe |
| PID 4360 set thread context of 1080 | N/A | C:\Users\Admin\AppData\Local\Temp\2120.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e592d40.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{906E09BC-E723-46FE-96BE-DEA9A0577FF8} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI3DDB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI38F8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e592d44.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e592d40.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1E41.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hrawhwc | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hrawhwc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3103.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3103.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hrawhwc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3103.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2612 = "Bougainville Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\DirectShow | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\DirectShow\MediaObjects | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\DirectShow\MediaObjects\Categories | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000_Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125\ = "Audio decoders" | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3103.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hrawhwc | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2120.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3AD8.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\MSIEXEC.EXE | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03exeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\1E41.exe
C:\Users\Admin\AppData\Local\Temp\1E41.exe
C:\Users\Admin\AppData\Local\Temp\2120.exe
C:\Users\Admin\AppData\Local\Temp\2120.exe
C:\Users\Admin\AppData\Local\Temp\1E41.exe
C:\Users\Admin\AppData\Local\Temp\1E41.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\242F.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\242F.dll
C:\Users\Admin\AppData\Local\Temp\2AB9.exe
C:\Users\Admin\AppData\Local\Temp\2AB9.exe
C:\Users\Admin\AppData\Local\Temp\3103.exe
C:\Users\Admin\AppData\Local\Temp\3103.exe
C:\Users\Admin\AppData\Local\Temp\3AD8.exe
C:\Users\Admin\AppData\Local\Temp\3AD8.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Roaming\hrawhwc
C:\Users\Admin\AppData\Roaming\hrawhwc
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\2624.exe
C:\Users\Admin\AppData\Local\Temp\2624.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\3ea3def4-d4d9-4485-8f7f-eab4d9c394ca" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\1E41.exe
"C:\Users\Admin\AppData\Local\Temp\1E41.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\1E41.exe
"C:\Users\Admin\AppData\Local\Temp\1E41.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3432 -ip 3432
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 568
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\3AD8.exe
"C:\Users\Admin\AppData\Local\Temp\3AD8.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\FFAF.exe
C:\Users\Admin\AppData\Local\Temp\FFAF.exe
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\FFAF.exe
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\FFAF.exe /q"C:\Users\Admin\AppData\Local\Temp\FFAF.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}" /IS_temp
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\Unpluralized Antifrost.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="FFAF.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B34C09D1EF092B0FAD3452617CCBC83D
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91804509-47AB-45A8-89FE-6E9D9B4449CC}
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6A076B75-000E-499A-92D3-B13C395ED941}
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C3BB04C2-8EF9-425A-BA23-6AFC3922689A}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{39181653-6FE1-42F5-9469-C71A8C6F737E}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B552642C-9BD1-4825-97E5-CC31EAF2F2EC}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2DFDFDD3-9DFD-4E67-94CF-042E92AB9344}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D09E8DA2-5C8B-4CC1-9262-3DEEB014B869}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E19CBFE6-C299-49E2-99EE-1DEBC73D88CF}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F0D7A778-7751-413C-BFAB-5585553780FF}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E495697-7382-460E-8CBF-763F682F18AF}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c LZMAdriver.exe x dism.7z -o%ProgramData% -pJWWF92HAadWoSJXC
C:\ProgramData\LZMAdriver.exe
LZMAdriver.exe x dism.7z -oC:\ProgramData -pJWWF92HAadWoSJXC
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d %ProgramData%\Dism\CompatProvider.exe /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\ProgramData\Dism\CompatProvider.exe /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\ProgramData\Dism\CompatProvider.exe
C:\ProgramData\Dism\CompatProvider.exe
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 57.21.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| FR | 51.254.67.186:16176 | tcp | |
| US | 8.8.8.8:53 | 186.67.254.51.in-addr.arpa | udp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 110.53.168.211.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | toennjeskenya.com | udp |
| GB | 77.95.113.16:443 | toennjeskenya.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.113.95.77.in-addr.arpa | udp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| KR | 211.168.53.110:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 7e33919f-958d-4d85-8a03-5b42926a3621.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | server10.statsexplorer.org | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.108:443 | server10.statsexplorer.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 3.33.249.248:3478 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 248.249.33.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | glaciecrw.cfd | udp |
| RO | 185.225.17.47:136 | glaciecrw.cfd | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 51.142.119.24:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 47.17.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.119.142.51.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server10.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/1320-1-0x00000000007D0000-0x00000000008D0000-memory.dmp
memory/1320-2-0x00000000023D0000-0x00000000023DB000-memory.dmp
memory/1320-3-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/3204-4-0x00000000028E0000-0x00000000028F6000-memory.dmp
memory/1320-5-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/1320-8-0x00000000023D0000-0x00000000023DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E41.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\1E41.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\2120.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\2120.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/4360-24-0x0000000000B50000-0x00000000012F8000-memory.dmp
memory/4948-26-0x00000000007D0000-0x000000000086D000-memory.dmp
memory/4024-27-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4024-29-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E41.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/4024-33-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-31-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/4948-25-0x0000000002430000-0x000000000254B000-memory.dmp
memory/4360-32-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/4360-34-0x00000000753A0000-0x0000000075490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\242F.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/4360-37-0x00000000753A0000-0x0000000075490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2624.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
C:\Users\Admin\AppData\Local\Temp\2624.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/4360-44-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/4024-45-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4360-46-0x0000000077304000-0x0000000077306000-memory.dmp
memory/4360-41-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/4360-40-0x00000000753A0000-0x0000000075490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\242F.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
C:\Users\Admin\AppData\Local\Temp\2AB9.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\2AB9.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3204-59-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/2512-61-0x00000000008D0000-0x00000000008D6000-memory.dmp
memory/2512-62-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/4360-65-0x0000000000B50000-0x00000000012F8000-memory.dmp
memory/3204-66-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-68-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/4360-70-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/3204-63-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-60-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/4360-71-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/3204-53-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/4360-74-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/3204-77-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-80-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-82-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/4360-83-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/4360-85-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/3204-88-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-90-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-92-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-94-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-95-0x0000000008A40000-0x0000000008A50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3AD8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3180-105-0x00000000005C0000-0x00000000006C0000-memory.dmp
memory/3204-103-0x0000000008A40000-0x0000000008A50000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3AD8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/3204-100-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3180-106-0x00000000021C0000-0x00000000021CB000-memory.dmp
memory/3204-108-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3180-111-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/3204-84-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/4360-81-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/4360-79-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/4360-76-0x00000000753A0000-0x0000000075490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3103.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\3103.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
memory/3204-73-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/3204-47-0x0000000008A40000-0x0000000008A50000-memory.dmp
memory/4360-35-0x00000000753A0000-0x0000000075490000-memory.dmp
memory/864-113-0x00000000008A0000-0x00000000008AC000-memory.dmp
memory/864-114-0x00000000008B0000-0x00000000008B7000-memory.dmp
memory/864-119-0x00000000008A0000-0x00000000008AC000-memory.dmp
memory/4360-115-0x0000000000B50000-0x00000000012F8000-memory.dmp
memory/2212-117-0x0000000001000000-0x000000000106B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4360-124-0x00000000061C0000-0x0000000006764000-memory.dmp
memory/2212-125-0x0000000001000000-0x000000000106B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2212-120-0x00000000008A0000-0x00000000008AC000-memory.dmp
memory/4360-132-0x0000000005CB0000-0x0000000005D42000-memory.dmp
memory/3504-150-0x0000000002A80000-0x0000000002E7A000-memory.dmp
memory/4360-140-0x0000000005EF0000-0x0000000005F8C000-memory.dmp
memory/3504-156-0x0000000002E80000-0x000000000376B000-memory.dmp
memory/3504-159-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/3204-160-0x0000000007040000-0x0000000007056000-memory.dmp
memory/3180-162-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/4360-164-0x0000000005EA0000-0x0000000005EAA000-memory.dmp
C:\Users\Admin\AppData\Roaming\hrawhwc
| MD5 | e4f413040b9aa0bd42bac9126ae1b32e |
| SHA1 | 02459e40fd2bbcfbcfa578a9e1090092833b3742 |
| SHA256 | 3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03 |
| SHA512 | 19f0e4f676b7e59e094ed09231af1b7e60c762a3d66124a4a449e642a515ad669504bb3a4559172ba1345a5f58f02884734facc3fbdafedf64406f79e8d547ca |
memory/2212-166-0x0000000001000000-0x000000000106B000-memory.dmp
C:\Users\Admin\AppData\Roaming\hrawhwc
| MD5 | e4f413040b9aa0bd42bac9126ae1b32e |
| SHA1 | 02459e40fd2bbcfbcfa578a9e1090092833b3742 |
| SHA256 | 3626f9260d12f7a2c8b5fdd51e136d36c3085e98fd434f13881257e7b1fd2c03 |
| SHA512 | 19f0e4f676b7e59e094ed09231af1b7e60c762a3d66124a4a449e642a515ad669504bb3a4559172ba1345a5f58f02884734facc3fbdafedf64406f79e8d547ca |
C:\Users\Admin\AppData\Local\3ea3def4-d4d9-4485-8f7f-eab4d9c394ca\1E41.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/3504-169-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2512-170-0x0000000002660000-0x000000000277B000-memory.dmp
memory/4024-171-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E41.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1512-174-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2512-176-0x0000000002780000-0x000000000287F000-memory.dmp
memory/2512-180-0x0000000002780000-0x000000000287F000-memory.dmp
memory/1512-181-0x0000000073370000-0x0000000073B20000-memory.dmp
memory/1512-182-0x00000000073E0000-0x00000000073F0000-memory.dmp
memory/60-184-0x0000000002180000-0x000000000221E000-memory.dmp
memory/3504-183-0x0000000002A80000-0x0000000002E7A000-memory.dmp
memory/3432-187-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1E41.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2512-188-0x0000000002780000-0x000000000287F000-memory.dmp
memory/3432-189-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1512-192-0x00000000084D0000-0x0000000008AE8000-memory.dmp
memory/3432-191-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1512-193-0x0000000007710000-0x000000000781A000-memory.dmp
memory/1512-194-0x0000000007640000-0x0000000007652000-memory.dmp
memory/1512-195-0x00000000076A0000-0x00000000076DC000-memory.dmp
memory/1512-196-0x0000000007820000-0x000000000786C000-memory.dmp
memory/3504-197-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dqw33kr1.yod.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4360-215-0x0000000006010000-0x0000000006025000-memory.dmp
memory/4360-214-0x0000000006010000-0x0000000006025000-memory.dmp
memory/4360-217-0x0000000006010000-0x0000000006025000-memory.dmp
memory/4360-219-0x0000000006010000-0x0000000006025000-memory.dmp
memory/4360-221-0x0000000006010000-0x0000000006025000-memory.dmp
memory/4360-224-0x0000000006010000-0x0000000006025000-memory.dmp
memory/4360-226-0x0000000006010000-0x0000000006025000-memory.dmp
memory/4360-228-0x0000000006010000-0x0000000006025000-memory.dmp
C:\Users\Admin\AppData\Roaming\wsawhwc
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | c671d50d589ce7be9ad3ff4035e6ad63 |
| SHA1 | 88cdc154077c8264149cb8b19e16ba07901e1dd6 |
| SHA256 | fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568 |
| SHA512 | a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9 |
C:\Users\Admin\AppData\Local\Temp\3AD8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 37014f5f80b4a2ca45cc07aee423da76 |
| SHA1 | f7a0a8ef64763adb78313b05e8a5416d5a36583e |
| SHA256 | a133d994b819596605c07cfed45039d8ba0d06ad49f391a909cc049e821a3729 |
| SHA512 | e806da22ebad5ff5b4cc6b00be8df8e13d081d87b1532d674308f9ed78a316874ab7fe88d25144cca614c826224fae0ef9140bddcf3a3ab73be22c9113bbea61 |
C:\Users\Admin\AppData\Local\Temp\FFAF.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\FFAF.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\FFAF.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2d82d7f53059e67c27f116adca0a6a6d |
| SHA1 | ecd0fd0a78e4af33c8ca7cf5500cf7e6b385580c |
| SHA256 | bd02b3d9f7c26d87916835297bde98237977ee914179bfe0992a6f63d294fc37 |
| SHA512 | e6be1faa01da3d47390ad1a41c051ac8686de163830ff9514387728e769e173b9c32e3e34461265094a973c298c9418129208c7570a5776a105152f6b05a0841 |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\FFAF.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\_ISMSIDEL.INI
| MD5 | f6599154b171a4ff6c2ab5a2c471ab1a |
| SHA1 | f503f85aa5d4355e68ec4e0738485dedee8e8137 |
| SHA256 | 24d6430498912177664e7a8e27a7e162af0909b468677ef1243361d0741d70c7 |
| SHA512 | a2ea7fd38d8bf27a927ac499028d85c5639af7219c68d2fa7e7c1ed2e447af5407d50226264519b24dd8b471604c02f2038f1601156283c4756d3a2479cdcb2f |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\Setup.INI
| MD5 | 236e86a73aa13283f042a8e0e37d817b |
| SHA1 | ccde2476172fba63fc37d4472ad164239d91722f |
| SHA256 | f4f66390a1bb0c30a78df0caf277bdd0111fecb9f53099663f56def6038cb1bf |
| SHA512 | 2a334c02b5c3d67287c49deee07f36d423176aaf51187f9edaafb73798d3a8a56c8e7c677326cc355ca4bbb4b4a851875b9c4318c78a55f3f17d0243ed1427e7 |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Temp\iss1CD7.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\Unpluralized Antifrost.msi
| MD5 | 384fdf7735b3ee70fec5dcf26a680bd3 |
| SHA1 | 0ea8725216826551e54236021a6a1df1092b098c |
| SHA256 | 74e1b2835493fb60fcdc917386c8ae42286eca322e8cc0b0c6456eb727cb959f |
| SHA512 | 36ec03bdc5b1a3ba356692a69ecd9dd6169ede8782ff41c52b114229dcbfec162b1b31cf863af2435f6b976407025fd62abab0ca540515b47aa82d0cff1dc4e8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 314a93e68238fad1e3c89442f60e6ea4 |
| SHA1 | de8b836ec8bfe3b59362c7871ccaa1cca36de6cd |
| SHA256 | 424c5162aab5e63a630936729638a59a992acd4f66e3ce8dbc62a6c9da923ec8 |
| SHA512 | 8d602b56e2bb6a40d4fd2066ea0926f0a51d5c5d153e30fcdaf0d6ccd61418bb7c9de32e96cd94d811e964424d610f505b8ac7ac45d1f3450c2e048c4c250f01 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Windows\Installer\e592d40.msi
| MD5 | 384fdf7735b3ee70fec5dcf26a680bd3 |
| SHA1 | 0ea8725216826551e54236021a6a1df1092b098c |
| SHA256 | 74e1b2835493fb60fcdc917386c8ae42286eca322e8cc0b0c6456eb727cb959f |
| SHA512 | 36ec03bdc5b1a3ba356692a69ecd9dd6169ede8782ff41c52b114229dcbfec162b1b31cf863af2435f6b976407025fd62abab0ca540515b47aa82d0cff1dc4e8 |
C:\Config.Msi\e592d43.rbs
| MD5 | 14d400af567762733e60bbd5bb91425c |
| SHA1 | 62b661cf71dc77d08b7280b58c9d68ef3a9ebb20 |
| SHA256 | 2547d6652141afe92237c958a9812315650f550f495bbee5f1d8ffe5d70e4967 |
| SHA512 | 185a8907ba998b3c623b7cdd7e1b66c1d9e472b8ce4405f1e716399a759c79df358ae90e6776b850bf1d13720b15697af209f41d66e525759b9b2346fc8e8a92 |
C:\Windows\Installer\MSI3DDB.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Windows\Installer\MSI3DDB.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Users\Admin\AppData\Local\Temp\{2446CB7A-FD67-4962-83FD-6772CB918636}\IsConfig.ini
| MD5 | b8a50c79678751b15c66fe334eb70c5d |
| SHA1 | aef26fd251878641ec06bad186cfd993b079d8b4 |
| SHA256 | 3278a60cfc42badbb51c967cfcc6a6be9603976eb83b68144dafc996cc3a7b23 |
| SHA512 | 0160aa0b583346ca6d62afdf19914c037583f05c709183e9b0adc636d9211a1f6cfedc35cb4e7d4bf291fe33034cd3766b26ece389db4c40fb687acffb5ca59c |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\setup.inx
| MD5 | 59c61e5180b22d32fbb3109e6898796b |
| SHA1 | 1c409028cbe6ce101d54777ec35634d0af785241 |
| SHA256 | 97a5dcfea923ceaaa85176dace8889660b1a0719c8a37730bc845e7a35ef48cc |
| SHA512 | ea499964355389cdfa3fef3c2e3b1e2da1f9533da08c9b28ed26dd7a68678ad07bee55148b040611da33e944b4af90b282cfcb47d30227b41753390d1a3c6686 |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISRT.dll
| MD5 | 251e8cc2d5611135d1cafdf6ca0994c2 |
| SHA1 | 27eefaa67d541bfc9ddca74f69d6fd5f83ec1165 |
| SHA256 | fb4f99cd0da2a02975e84206a39202eee74f0384846f2caf4417704f44e254e9 |
| SHA512 | 92cd57a98edaba3ab25be5e920e73c3486afd5433f05ba9129708520addc8dab29c779c55c4c78904001da37047b8604e322396f3bd5a0dd8b13247182abaa3f |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISRT.dll
| MD5 | 251e8cc2d5611135d1cafdf6ca0994c2 |
| SHA1 | 27eefaa67d541bfc9ddca74f69d6fd5f83ec1165 |
| SHA256 | fb4f99cd0da2a02975e84206a39202eee74f0384846f2caf4417704f44e254e9 |
| SHA512 | 92cd57a98edaba3ab25be5e920e73c3486afd5433f05ba9129708520addc8dab29c779c55c4c78904001da37047b8604e322396f3bd5a0dd8b13247182abaa3f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d5499b532847c4897f3f633170f3c01b |
| SHA1 | 70a3441faea4d2a82260be5ea13fcf028e444de2 |
| SHA256 | ebb66cfd156a45b16fabff92ff9b16e2df1bcf707087414a5b989fa2edc234d7 |
| SHA512 | d5c59b27294342faedc0c604948f195464ab41b56702977ba055439af2380de607f5e48d203457e6e6a241a7bb287ed900e3da0a7e3b928d1753f373457ee135 |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\String1033.txt
| MD5 | 2f03bc3279c252e3407ac15607a0f697 |
| SHA1 | a81e6132d0df1f41f05eeceb301cf349016a0ccd |
| SHA256 | 6eb5f4d762f690fce2061611a5b2ba25caeb99ac59ad76c0f99325189faba7ad |
| SHA512 | dafeb4be33a28a29c3327c06c1bf6c42dc39da1e7e09ead9928d26a234885182c6b270642d836f36bca33c2b3e6e9631710b07abd6bf68286b2d8703b8e32ac8 |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\IsConfig.ini
| MD5 | b8a50c79678751b15c66fe334eb70c5d |
| SHA1 | aef26fd251878641ec06bad186cfd993b079d8b4 |
| SHA256 | 3278a60cfc42badbb51c967cfcc6a6be9603976eb83b68144dafc996cc3a7b23 |
| SHA512 | 0160aa0b583346ca6d62afdf19914c037583f05c709183e9b0adc636d9211a1f6cfedc35cb4e7d4bf291fe33034cd3766b26ece389db4c40fb687acffb5ca59c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e6f5a9e33e2abc2270617dc19f30a725 |
| SHA1 | 4ee282f56de4388b909e84eaab58f3936bafdb1a |
| SHA256 | e1fd0a0035d577b6f298cc1b7a25aa4a576f85784d275f6a6e4acbf67b173ba1 |
| SHA512 | a4d41737a35c6b263b5bf84d33384f16e722182e1e1c61d2b8aaa3e21a8f8732283c192ebd658ba40b24a760ef10f78b4ba1bec453ff78c8c0f31ec59562244d |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\ProgramData\LZMAdriver.exe
| MD5 | 90aac6489f6b226bf7dc1adabfdb1259 |
| SHA1 | c90c47b717b776922cdd09758d2b4212d9ae4911 |
| SHA256 | ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549 |
| SHA512 | befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d |
C:\ProgramData\dism.7z
| MD5 | 448f836c5e5e1d54623d063454ff0d76 |
| SHA1 | 12e8d15c305ddf66584e0bfd49dac48549b70b69 |
| SHA256 | eeb5af29a7febfcbac2c6820249cb3dcf67c13be19a6d387b0fbeaf281bcc51b |
| SHA512 | 332052fc89ec16168f8b839b54ed79957e4564d0d63d0704b1e3f19ace32ef2496636a5cd2370f87a5744654050440ee481dfd8a2f82f2ae666d478cce7b804c |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEWX64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\_ISMSIDEL.INI
| MD5 | f0d5c534ef6df27fecbeaf0c8a705e97 |
| SHA1 | 189f5d2c75b84267748d8a0ef012d93d8edd26ed |
| SHA256 | a74813ff39beead9928c48eb8a15dd5bc9bf7a7909891371c6b940b78caf9a34 |
| SHA512 | d62fd4d464410e9f693d3e3a8e3a7d9b78131ce11da11ba708bd57d9a13fedc5fb9023bc6c3d42cb036b9ca5fa7daf9453cd8d4019f9ba857a98aff05756ffe2 |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\_ISMSIDEL.INI
| MD5 | ea1189957183693c5803bb3eacc06854 |
| SHA1 | c7124f29416e518851eedc6f9871abc1e167ae31 |
| SHA256 | 37979669376353b1b10925842788ea8b2c45ee4f2b22285c3a217cd93aa0f93a |
| SHA512 | 1ac8c5c18e14a05b5ee2f7be26d6a808b28e71b41be7f82ba854fb922c966a67fd9c42673638c4cb96611a52f8423920c1fa3417437ae0cccf8b106ff9d4d58f |
C:\Users\Admin\AppData\Local\Temp\{03278923-59BF-407F-81D3-2484E84BE754}\_ISMSIDEL.INI
| MD5 | c10f0c1c213324eb2d479d8617a58197 |
| SHA1 | 5d830ffc7950e47de2a7f9efafca8425c37a382c |
| SHA256 | 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be |
| SHA512 | 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702 |