Analysis Overview
SHA256
56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547ca
Threat Level: Known bad
The file NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Vidar
Amadey
Glupteba payload
Detected Djvu ransomware
Glupteba
RedLine
RedLine payload
NetSupport
Djvu Ransomware
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Windows security modification
Loads dropped DLL
Deletes itself
Executes dropped EXE
Checks BIOS information in registry
Checks computer location settings
UPX packed file
Modifies file permissions
Themida packer
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks whether UAC is enabled
Manipulates WinMonFS driver.
Accesses Microsoft Outlook profiles
Enumerates connected drives
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Program crash
Enumerates physical storage devices
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of UnmapMainImage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: MapViewOfSection
outlook_win_path
Uses Task Scheduler COM API
outlook_office_path
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 17:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 17:09
Reported
2023-10-17 17:16
Platform
win7-20230831-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Vidar
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\E9E7.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\BEDD.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\BEDD.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\BEDD.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\E9E7.exe = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\a281a6c7-e5b4-40f8-9864-d72c2dfd0124\\BA89.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\BA89.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\BEDD.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BEDD.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2792 set thread context of 2600 | N/A | C:\Users\Admin\AppData\Local\Temp\BA89.exe | C:\Users\Admin\AppData\Local\Temp\BA89.exe |
| PID 2820 set thread context of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\C620.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2160 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Local\Temp\BA89.exe | C:\Users\Admin\AppData\Local\Temp\BA89.exe |
| PID 2720 set thread context of 1452 | N/A | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe |
| PID 1952 set thread context of 3068 | N/A | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20231017171439.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E9E7.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2180306848-1874213455-4093218721-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\BA89.exe
C:\Users\Admin\AppData\Local\Temp\BA89.exe
C:\Users\Admin\AppData\Local\Temp\BA89.exe
C:\Users\Admin\AppData\Local\Temp\BA89.exe
C:\Users\Admin\AppData\Local\Temp\BEDD.exe
C:\Users\Admin\AppData\Local\Temp\BEDD.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C3ED.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C3ED.dll
C:\Users\Admin\AppData\Local\Temp\C620.exe
C:\Users\Admin\AppData\Local\Temp\C620.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\a281a6c7-e5b4-40f8-9864-d72c2dfd0124" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\D434.exe
C:\Users\Admin\AppData\Local\Temp\D434.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\E9E7.exe
C:\Users\Admin\AppData\Local\Temp\E9E7.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\BA89.exe
"C:\Users\Admin\AppData\Local\Temp\BA89.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017171439.log C:\Windows\Logs\CBS\CbsPersist_20231017171439.cab
C:\Users\Admin\AppData\Local\Temp\BA89.exe
"C:\Users\Admin\AppData\Local\Temp\BA89.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\E9E7.exe
"C:\Users\Admin\AppData\Local\Temp\E9E7.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {0CCE4A75-8E34-4F41-83C1-932071E65722} S-1-5-21-2180306848-1874213455-4093218721-1000:XEBBURHY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
"C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe"
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
"C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe"
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
"C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe"
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
"C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| NL | 142.251.36.35:80 | tcp | |
| US | 188.114.97.0:443 | tcp | |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| PS | 213.6.54.58:443 | tcp | |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 172.67.213.185:443 | tcp | |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| IR | 2.180.10.7:80 | colisumy.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| PS | 213.6.54.58:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| RU | 79.137.192.18:80 | tcp | |
| US | 8.8.8.8:53 | 579da5bf-b55e-4c5a-93c1-50faad0b314b.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| FR | 51.254.67.186:16176 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| KR | 211.181.24.133:80 | zexeq.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| JP | 23.207.106.113:443 | steamcommunity.com | tcp |
| DE | 49.12.118.149:80 | 49.12.118.149 | tcp |
Files
memory/2032-1-0x0000000000950000-0x0000000000A50000-memory.dmp
memory/2032-2-0x0000000000230000-0x000000000023B000-memory.dmp
memory/2032-3-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2032-5-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/2032-8-0x0000000000230000-0x000000000023B000-memory.dmp
memory/1268-4-0x0000000002B70000-0x0000000002B86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2792-21-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2792-22-0x0000000000300000-0x0000000000392000-memory.dmp
memory/2600-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2600-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2792-31-0x0000000000300000-0x0000000000392000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2792-25-0x0000000001F30000-0x000000000204B000-memory.dmp
memory/2600-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2600-33-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\BEDD.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/2556-38-0x0000000001050000-0x00000000017F8000-memory.dmp
memory/2556-39-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-41-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-40-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-42-0x0000000075A90000-0x0000000075AD7000-memory.dmp
memory/2556-44-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-43-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-45-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-46-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-47-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-48-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-49-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-50-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-52-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-53-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-54-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-56-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-57-0x0000000076920000-0x0000000076A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C3ED.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/2556-58-0x0000000077E30000-0x0000000077E32000-memory.dmp
\Users\Admin\AppData\Local\Temp\C3ED.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/1956-64-0x0000000000150000-0x0000000000156000-memory.dmp
memory/1956-65-0x0000000010000000-0x00000000101E3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C620.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
C:\Users\Admin\AppData\Local\Temp\C620.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\D434.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\D434.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2600-99-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2556-100-0x0000000001050000-0x00000000017F8000-memory.dmp
memory/2556-102-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/1956-103-0x00000000022D0000-0x00000000023EB000-memory.dmp
memory/2556-105-0x0000000076920000-0x0000000076A30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9E7.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2556-111-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/1804-113-0x0000000002760000-0x0000000002B58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9E7.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/1956-118-0x0000000001E90000-0x0000000001F8F000-memory.dmp
memory/1956-114-0x0000000001E90000-0x0000000001F8F000-memory.dmp
memory/1956-120-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/2308-119-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2556-122-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-128-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/2556-135-0x0000000076920000-0x0000000076A30000-memory.dmp
memory/1804-136-0x0000000002760000-0x0000000002B58000-memory.dmp
memory/2308-137-0x00000000001B0000-0x0000000000230000-memory.dmp
memory/2308-138-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/1804-139-0x0000000002B60000-0x000000000344B000-memory.dmp
memory/1924-140-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1804-141-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/1620-144-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1620-145-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1620-146-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1620-148-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/1620-149-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1620-147-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1620-151-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1620-153-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1924-142-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1956-143-0x0000000001E90000-0x0000000001F8F000-memory.dmp
C:\Users\Admin\AppData\Local\a281a6c7-e5b4-40f8-9864-d72c2dfd0124\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\E9E7.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2600-157-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1620-156-0x0000000073B50000-0x000000007423E000-memory.dmp
memory/1804-159-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/1804-162-0x0000000000400000-0x0000000000D6F000-memory.dmp
\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2600-165-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2160-168-0x0000000000220000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2160-169-0x0000000000220000-0x00000000002B2000-memory.dmp
\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1620-170-0x0000000073B50000-0x000000007423E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA89.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1676-178-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab48A4.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 021d59f078ef5016c3946d207aae0ffa |
| SHA1 | 407f13f311e3af95369a1f1de15b0a97bae43ee8 |
| SHA256 | fc94facfb4b4df5c690a4997789dc28e0367c4b7250ca754409fbb8d288f0dca |
| SHA512 | 50171a2b6e1128e97dac2e40f84097597a6652a59eb59eb8e9049aca6fbb7bd3fbc91eb8dda7b56b9ed6e56d1684a3cd2e918fe972431492cc3c78c1ca3f0402 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | f511ea26d6810f0d005155e61ca57c92 |
| SHA1 | aeb04096a667d12784b76e6bf0d78acb11a98a5e |
| SHA256 | af0e963b9bf5be82ccb6253e13232ccc9bd7c11d4d5ff874a5761215b9cb5b2a |
| SHA512 | 61a784ebf47f3dba05d24aec198d50ef336c5d937045ad6904c3b4720c92c8877ae8f5d456891365ef49b88f2801bfc9d940cebfb40a3b450b13540419b0e099 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 0268ef551139ac7672a96e6658ce044a |
| SHA1 | b005ca526faa872c8e0aeafd11e3335c28c16037 |
| SHA256 | 417ec67ee533de68e2008cc547552d33878e0d9bedd6ceaf5572d37112bb036a |
| SHA512 | 5405872c99f9f88596d39057d8701ba360b498d8bbb5eb64cd5af5f8f1100e0ecdaf09ad811aa0b3fc92ddfcef05d1a14e6495868e4995af049cd3be0247860d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 7b25e4411a9524fdd4de60db8db6f19c |
| SHA1 | de6c325ab856a7ae7701702ce749749c94d4596c |
| SHA256 | 6d24196a90bd39355643f151efbde055891a18c885dfd2b42a00df87064ea241 |
| SHA512 | b7c321ea3b574f7a506a6909230a35e8f2d68e6d65064c1fbd005702ad54e1bf572103b1f273b51da4580e39b4b4760ec606f99d250de38dc5339fdf1a23b5f5 |
memory/1620-193-0x00000000072F0000-0x0000000007330000-memory.dmp
memory/1676-195-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9E7.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2832-197-0x00000000026B0000-0x0000000002AA8000-memory.dmp
memory/1676-194-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1804-198-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2832-200-0x00000000026B0000-0x0000000002AA8000-memory.dmp
memory/2832-201-0x0000000002AB0000-0x000000000339B000-memory.dmp
memory/2832-202-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/1676-206-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1676-209-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1676-208-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1676-210-0x0000000000400000-0x0000000000537000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2832-230-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/3004-232-0x0000000002750000-0x0000000002B48000-memory.dmp
memory/2832-233-0x00000000026B0000-0x0000000002AA8000-memory.dmp
memory/1620-234-0x00000000072F0000-0x0000000007330000-memory.dmp
memory/1676-235-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3004-241-0x0000000002750000-0x0000000002B48000-memory.dmp
memory/3004-242-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/3004-243-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/3004-246-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/1540-255-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
memory/1540-270-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 277260b0660af0606d48aab5194dda73 |
| SHA1 | 14a4abc085ed85c7183b438252ee5670da449184 |
| SHA256 | 8749bd7a3c9eed8a639a875784c4c2e79e4d2b335aae5f35d56230d911000097 |
| SHA512 | de89065d54e074f22b8639310cae20d8c78aafd662115c2b337fdd38a2a49ec30262a7ef60ac3e3729d295b48cfdd1024e1f97841cd73c7ceef243f87b646fd4 |
C:\Users\Admin\AppData\Local\Temp\Tar13A1.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
memory/3004-324-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/2720-339-0x00000000008B0000-0x00000000009B0000-memory.dmp
memory/2720-341-0x00000000002F0000-0x0000000000341000-memory.dmp
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build2.exe
| MD5 | 8012f0388cdda7870e63a5723ff24e9b |
| SHA1 | 08ed4dc8ded91f4aa23324b7eac56a22a883005d |
| SHA256 | 5f44375ddddaedfcd4f2499d3e121b7d9ee627b751f2d0914a562d35d7c9a551 |
| SHA512 | f59ce84fd7a3762efb919bb8474226fdb99765f80e4a40a9a66764a1502150fe40804be5363caeda6d27fdcfe44e5897a8c624db9993c2c890d83bbb660c01d3 |
memory/1452-348-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 87ff651afce016726d0626890a3fb1e2 |
| SHA1 | 82c2726cee689051cd54378f816ca964df136cb6 |
| SHA256 | 3d30f6f20f077d86c5faaf3a6dda66edb651e566d497d6c033b09740fc497dab |
| SHA512 | d4b10a7e3ecadf6db8320f7cfa6722040f74e3494cf8455d9edc97c04f09f99030897a94ce7261125c93e9f4b5ce387fa21dbcd8a476b5737a49b28da1850b20 |
\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1952-464-0x0000000000890000-0x0000000000990000-memory.dmp
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1952-466-0x0000000000220000-0x0000000000224000-memory.dmp
C:\Users\Admin\AppData\Local\f538c504-71c1-4981-9a86-7ad99c471e8d\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
memory/1452-471-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3068-472-0x0000000000400000-0x0000000000406000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 17:09
Reported
2023-10-17 17:16
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NetSupport
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D0EC.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DDA2.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\d15f5abd-70d2-4616-9537-5a52c583e81a\\D0EC.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D0EC.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4036 set thread context of 3996 | N/A | C:\Users\Admin\AppData\Local\Temp\D0EC.exe | C:\Users\Admin\AppData\Local\Temp\D0EC.exe |
| PID 408 set thread context of 4204 | N/A | C:\Users\Admin\AppData\Local\Temp\D861.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 796 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\D0EC.exe | C:\Users\Admin\AppData\Local\Temp\D0EC.exe |
| PID 3404 set thread context of 1508 | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e589c4b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e589c4f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9EFA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{906E09BC-E723-46FE-96BE-DEA9A0577FF8} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA3FC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e589c4b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\D0EC.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-602 = "Taipei Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-571 = "China Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-432 = "Iran Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-751 = "Tonga Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-211 = "Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" | C:\Windows\windefender.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125\ = "Audio decoders" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\WOW6432Node\DirectShow\MediaObjects\Categories\57f2db8b-e6bb-4513-9d43-dcd2a6593125 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\WOW6432Node | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\WOW6432Node\DirectShow | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\WOW6432Node\DirectShow\MediaObjects | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000_Classes\WOW6432Node\DirectShow\MediaObjects\Categories | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D41A.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EB21.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Dism\CompatProvider.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEAS56a41c337b7fd51f7d81f3b7506bb0ded033decfbfbdf2f69259ccff0fd547caexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
C:\Users\Admin\AppData\Local\Temp\D41A.exe
C:\Users\Admin\AppData\Local\Temp\D41A.exe
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D6DA.dll
C:\Users\Admin\AppData\Local\Temp\D861.exe
C:\Users\Admin\AppData\Local\Temp\D861.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\D6DA.dll
C:\Users\Admin\AppData\Local\Temp\DDA2.exe
C:\Users\Admin\AppData\Local\Temp\DDA2.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\Temp\E45A.exe
C:\Users\Admin\AppData\Local\Temp\E45A.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d15f5abd-70d2-4616-9537-5a52c583e81a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\EB21.exe
C:\Users\Admin\AppData\Local\Temp\EB21.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
"C:\Users\Admin\AppData\Local\Temp\D0EC.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
"C:\Users\Admin\AppData\Local\Temp\D0EC.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2980 -ip 2980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 568
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\EB21.exe
"C:\Users\Admin\AppData\Local\Temp\EB21.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\7B9B.exe
C:\Users\Admin\AppData\Local\Temp\7B9B.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\7B9B.exe
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\7B9B.exe /q"C:\Users\Admin\AppData\Local\Temp\7B9B.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}" /IS_temp
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\Unpluralized Antifrost.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="7B9B.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 1C81CA64D3A45E349AB0543CF1EC4D23
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5817813C-55C7-4B51-A637-E5F8EC9C7A3B}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FC33C9EC-C839-4FE4-BDA6-93046C9571F9}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98333177-6C21-4AE4-AFD4-1AF8CBD28511}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B32E70D6-7DDE-4514-90AC-083EA219C98C}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A7FA26E9-AAC4-4882-A474-AAA7C0B79E9B}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CCBC9242-9C1C-404A-9284-EC89E1D51465}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0A3B2FC2-A981-4935-81B7-B9F99E58EBF7}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{666F7A52-5999-408D-BAA0-FB25456C52A6}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F2B5CC5-99C2-4E5A-BC53-B05D37F65DC0}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9DA5A052-DD5D-4B1C-AA7E-E86DD37E4DCC}
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c LZMAdriver.exe x dism.7z -o%ProgramData% -pJWWF92HAadWoSJXC
C:\ProgramData\LZMAdriver.exe
LZMAdriver.exe x dism.7z -oC:\ProgramData -pJWWF92HAadWoSJXC
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d %ProgramData%\Dism\CompatProvider.exe /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\ProgramData\Dism\CompatProvider.exe /f
C:\ProgramData\Dism\CompatProvider.exe
C:\ProgramData\Dism\CompatProvider.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.213.67.172.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| FR | 51.254.67.186:16176 | tcp | |
| US | 8.8.8.8:53 | 186.67.254.51.in-addr.arpa | udp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 126.24.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 36.22.119.201.in-addr.arpa | udp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | toennjeskenya.com | udp |
| GB | 77.95.113.16:443 | toennjeskenya.com | tcp |
| US | 8.8.8.8:53 | 16.113.95.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3e53022a-8fe3-40af-a6a0-f9ea4290a6e8.uuid.statsexplorer.org | udp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| MX | 201.119.22.36:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | server2.statsexplorer.org | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server2.statsexplorer.org | tcp |
| JP | 172.217.213.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.213.217.172.in-addr.arpa | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server2.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.67:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | glaciecrw.cfd | udp |
| RO | 185.225.17.47:136 | glaciecrw.cfd | tcp |
| US | 8.8.8.8:53 | 67.138.172.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 47.17.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
memory/3736-1-0x0000000000B00000-0x0000000000C00000-memory.dmp
memory/3736-2-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3736-3-0x0000000000A70000-0x0000000000A7B000-memory.dmp
memory/3184-4-0x0000000002F60000-0x0000000002F76000-memory.dmp
memory/3736-5-0x0000000000400000-0x00000000007CE000-memory.dmp
memory/3184-8-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-9-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-10-0x0000000003440000-0x0000000003450000-memory.dmp
memory/3184-11-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-12-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-13-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-14-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-15-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-17-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-19-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-20-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-21-0x0000000002F80000-0x0000000002F90000-memory.dmp
memory/3184-22-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-23-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-25-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-24-0x0000000002F80000-0x0000000002F90000-memory.dmp
memory/3184-29-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-31-0x0000000003440000-0x0000000003450000-memory.dmp
memory/3184-27-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-32-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-30-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-33-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-34-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-36-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-38-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-35-0x0000000002F80000-0x0000000002F90000-memory.dmp
memory/3184-39-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-40-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-42-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-43-0x0000000003430000-0x0000000003440000-memory.dmp
memory/3184-47-0x0000000002F80000-0x0000000002F90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/4036-56-0x00000000022B0000-0x000000000234C000-memory.dmp
memory/4036-57-0x0000000002410000-0x000000000252B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D41A.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\D41A.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3404-62-0x0000000000A30000-0x00000000011D8000-memory.dmp
memory/3996-63-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-64-0x0000000076E40000-0x0000000076F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/3996-66-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3404-68-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3404-71-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3404-72-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3996-69-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D6DA.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/3404-74-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3404-77-0x0000000076E40000-0x0000000076F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D861.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/3404-80-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3404-82-0x0000000077654000-0x0000000077656000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D6DA.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/3996-81-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1128-87-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/1128-86-0x0000000000780000-0x0000000000786000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D861.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/3404-67-0x0000000076E40000-0x0000000076F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDA2.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3404-93-0x0000000000A30000-0x00000000011D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDA2.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3404-96-0x0000000005CC0000-0x0000000006264000-memory.dmp
memory/3404-97-0x00000000055E0000-0x0000000005672000-memory.dmp
memory/3404-98-0x00000000058B0000-0x000000000594C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3404-103-0x00000000056A0000-0x00000000056AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E45A.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\E45A.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/4540-118-0x0000000000780000-0x0000000000880000-memory.dmp
memory/4540-119-0x0000000000600000-0x000000000060B000-memory.dmp
memory/4540-120-0x0000000000400000-0x00000000005B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB21.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\Local\Temp\EB21.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/1128-128-0x00000000024E0000-0x00000000025FB000-memory.dmp
memory/3404-129-0x0000000000A30000-0x00000000011D8000-memory.dmp
memory/3268-130-0x0000000000420000-0x000000000048B000-memory.dmp
memory/3404-131-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3268-132-0x0000000000420000-0x000000000048B000-memory.dmp
memory/3268-133-0x0000000000490000-0x0000000000505000-memory.dmp
memory/5100-134-0x0000000000FA0000-0x0000000000FAC000-memory.dmp
memory/3404-137-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3404-135-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/5100-143-0x0000000000FA0000-0x0000000000FAC000-memory.dmp
memory/3404-148-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3404-142-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/1992-159-0x0000000002C70000-0x000000000306A000-memory.dmp
memory/1128-166-0x0000000002600000-0x00000000026FF000-memory.dmp
memory/3404-140-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/1992-167-0x0000000003070000-0x000000000395B000-memory.dmp
memory/3404-168-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/1128-141-0x0000000002600000-0x00000000026FF000-memory.dmp
memory/1992-169-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/1128-170-0x0000000002600000-0x00000000026FF000-memory.dmp
memory/4540-176-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/3268-175-0x0000000000420000-0x000000000048B000-memory.dmp
memory/3404-178-0x0000000076E40000-0x0000000076F30000-memory.dmp
memory/3184-172-0x00000000076D0000-0x00000000076E6000-memory.dmp
memory/3996-179-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4204-181-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\d15f5abd-70d2-4616-9537-5a52c583e81a\D0EC.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/4204-182-0x00000000735C0000-0x0000000073D70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/3996-184-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2980-192-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2980-191-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D0EC.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2980-194-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ejzrwybo.33s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3404-223-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-225-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-234-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-238-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-236-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-232-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-230-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-228-0x0000000005880000-0x0000000005895000-memory.dmp
memory/3404-222-0x0000000005880000-0x0000000005895000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB21.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | c671d50d589ce7be9ad3ff4035e6ad63 |
| SHA1 | 88cdc154077c8264149cb8b19e16ba07901e1dd6 |
| SHA256 | fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568 |
| SHA512 | a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1343a3aa3df573d81f34aa3679977361 |
| SHA1 | e69f0ee72bf6b2ed0819bcb22def6dc43306f001 |
| SHA256 | be759c9573481e139f1f285438b109c72e78e25ca8274020327f5977313189a1 |
| SHA512 | f5991ebe5c3208b8c55705e6c754e9a18572dc7cebd59dd5144ebc90b14aac8c52af471bba4b634262f324077ffabc842560dd44bd993476e1ad32f1eb1159de |
C:\Users\Admin\AppData\Roaming\gicdwjf
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2f7c8d39e9144c70171e3a5df01f6cc0 |
| SHA1 | 11f894438bd8f86bfc69ed209d54a8e389d4198f |
| SHA256 | 4473a094324b9fc42f7fab26093b32fcb42df1c99c2dedfd7344b3bb0a01616f |
| SHA512 | 8a2ef364146872ac5ae2bb7bdf01ae4ab23c4e495f4c881dcbac11621d0bbc5120e852086a4536a6ca861df963dd8bbd03f4c532bb69c761234cb4d03c500b36 |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d340bb0e05e8c54793e984c6f415dfe5 |
| SHA1 | 821a27d6c4007b89e466572417c45dfc8e0917a5 |
| SHA256 | b518013f9b94fcf512a1f6d2568511cfb17359a5f00a6f561c028efe947034f0 |
| SHA512 | 312b931a6a8083dfaa2297fefed619884df001797dc9ffb36f9bbafc06541f9e1ca8abf793d67fee05947b8c542a75bd87fbc87e4437ae521f3c1a3e543944ef |
C:\Users\Admin\AppData\Local\Temp\7B9B.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\7B9B.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a6fba5b324e3cea00946141a6e796b21 |
| SHA1 | 6939462c96d21868da74db4af7d8702a71fea6fe |
| SHA256 | 135250a319c5fb191e1cfaa0318c02b8b5b62716d81a9d79d8ef10f3288dc7bc |
| SHA512 | 7bc086a9ec73bdcb5955ab610c338e3dfe8cfcb14796294538998eec845fff0b9527f33ab1a22b02e3d9c0a5c0e7df1a4dfaafc875f5e7a7070ae9334cc61b62 |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\7B9B.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\7B9B.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\_ISMSIDEL.INI
| MD5 | f254ff03745782556772be65bd17391f |
| SHA1 | bb30612dc6cb1141817bb8cb1d5a95a1945bae37 |
| SHA256 | 19fb2f2c6dc8b4eb17442ac35e6ba64a339ce6dff5913105a6e95d381933eced |
| SHA512 | 612c97d810f94f3e80c6b2bff50a5a60e1db49edec7a4d8e0e692d025f3b8d8db9f721b1c57d69977eb4a55060ebce77c4ee564f363825e5b4d9f94a7e68e277 |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\Setup.INI
| MD5 | 236e86a73aa13283f042a8e0e37d817b |
| SHA1 | ccde2476172fba63fc37d4472ad164239d91722f |
| SHA256 | f4f66390a1bb0c30a78df0caf277bdd0111fecb9f53099663f56def6038cb1bf |
| SHA512 | 2a334c02b5c3d67287c49deee07f36d423176aaf51187f9edaafb73798d3a8a56c8e7c677326cc355ca4bbb4b4a851875b9c4318c78a55f3f17d0243ed1427e7 |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
C:\Users\Admin\AppData\Local\Temp\iss89FD.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | fc89fd08c0e3d270ab24ce7dade2b48f |
| SHA1 | 0b0b56b65dedbfbc1ed1524bce07e45f942ac26e |
| SHA256 | 3c777f62fcc2396cd8bd324ef037f0ca6bdaa334e3c350f72b5f3168ef0bfe8a |
| SHA512 | f079cfce7f6ed9ee1130802ffcdd6d2f0f1613fd98eb6d8a8f1bc749beacbd7c8c35183ac48b689e4ec9d0922a52242ec5cc5fc95b239c5feb6676ccfdf2805d |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\Unpluralized Antifrost.msi
| MD5 | 384fdf7735b3ee70fec5dcf26a680bd3 |
| SHA1 | 0ea8725216826551e54236021a6a1df1092b098c |
| SHA256 | 74e1b2835493fb60fcdc917386c8ae42286eca322e8cc0b0c6456eb727cb959f |
| SHA512 | 36ec03bdc5b1a3ba356692a69ecd9dd6169ede8782ff41c52b114229dcbfec162b1b31cf863af2435f6b976407025fd62abab0ca540515b47aa82d0cff1dc4e8 |
C:\Windows\Installer\e589c4b.msi
| MD5 | 384fdf7735b3ee70fec5dcf26a680bd3 |
| SHA1 | 0ea8725216826551e54236021a6a1df1092b098c |
| SHA256 | 74e1b2835493fb60fcdc917386c8ae42286eca322e8cc0b0c6456eb727cb959f |
| SHA512 | 36ec03bdc5b1a3ba356692a69ecd9dd6169ede8782ff41c52b114229dcbfec162b1b31cf863af2435f6b976407025fd62abab0ca540515b47aa82d0cff1dc4e8 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Config.Msi\e589c4e.rbs
| MD5 | 06ea02ec83b45b51f0ffe5f000a38cbc |
| SHA1 | 507f559a04da9888cbe544c507c1958264804f3e |
| SHA256 | bf227b9dd84ebe8189a964fbebbd606b20ecac2cb787b3b78dade92b9221c84c |
| SHA512 | ae3c67f36b36ff60adc641428aa785451f714a5fc89cb1e6cd14b4df263756d9d5b8aa85fa525ab1f5c82a316406af94647a30f52a7b893de325973cd6e0f88b |
C:\Windows\Installer\MSIA3FC.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Windows\Installer\MSIA3FC.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Users\Admin\AppData\Local\Temp\{E6E82B62-3F2A-41DD-9C05-3AB376DEA8DF}\IsConfig.ini
| MD5 | b8a50c79678751b15c66fe334eb70c5d |
| SHA1 | aef26fd251878641ec06bad186cfd993b079d8b4 |
| SHA256 | 3278a60cfc42badbb51c967cfcc6a6be9603976eb83b68144dafc996cc3a7b23 |
| SHA512 | 0160aa0b583346ca6d62afdf19914c037583f05c709183e9b0adc636d9211a1f6cfedc35cb4e7d4bf291fe33034cd3766b26ece389db4c40fb687acffb5ca59c |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\setup.inx
| MD5 | 59c61e5180b22d32fbb3109e6898796b |
| SHA1 | 1c409028cbe6ce101d54777ec35634d0af785241 |
| SHA256 | 97a5dcfea923ceaaa85176dace8889660b1a0719c8a37730bc845e7a35ef48cc |
| SHA512 | ea499964355389cdfa3fef3c2e3b1e2da1f9533da08c9b28ed26dd7a68678ad07bee55148b040611da33e944b4af90b282cfcb47d30227b41753390d1a3c6686 |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISRT.dll
| MD5 | 251e8cc2d5611135d1cafdf6ca0994c2 |
| SHA1 | 27eefaa67d541bfc9ddca74f69d6fd5f83ec1165 |
| SHA256 | fb4f99cd0da2a02975e84206a39202eee74f0384846f2caf4417704f44e254e9 |
| SHA512 | 92cd57a98edaba3ab25be5e920e73c3486afd5433f05ba9129708520addc8dab29c779c55c4c78904001da37047b8604e322396f3bd5a0dd8b13247182abaa3f |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISRT.dll
| MD5 | 251e8cc2d5611135d1cafdf6ca0994c2 |
| SHA1 | 27eefaa67d541bfc9ddca74f69d6fd5f83ec1165 |
| SHA256 | fb4f99cd0da2a02975e84206a39202eee74f0384846f2caf4417704f44e254e9 |
| SHA512 | 92cd57a98edaba3ab25be5e920e73c3486afd5433f05ba9129708520addc8dab29c779c55c4c78904001da37047b8604e322396f3bd5a0dd8b13247182abaa3f |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\String1033.txt
| MD5 | 2f03bc3279c252e3407ac15607a0f697 |
| SHA1 | a81e6132d0df1f41f05eeceb301cf349016a0ccd |
| SHA256 | 6eb5f4d762f690fce2061611a5b2ba25caeb99ac59ad76c0f99325189faba7ad |
| SHA512 | dafeb4be33a28a29c3327c06c1bf6c42dc39da1e7e09ead9928d26a234885182c6b270642d836f36bca33c2b3e6e9631710b07abd6bf68286b2d8703b8e32ac8 |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\IsConfig.ini
| MD5 | b8a50c79678751b15c66fe334eb70c5d |
| SHA1 | aef26fd251878641ec06bad186cfd993b079d8b4 |
| SHA256 | 3278a60cfc42badbb51c967cfcc6a6be9603976eb83b68144dafc996cc3a7b23 |
| SHA512 | 0160aa0b583346ca6d62afdf19914c037583f05c709183e9b0adc636d9211a1f6cfedc35cb4e7d4bf291fe33034cd3766b26ece389db4c40fb687acffb5ca59c |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\ProgramData\LZMAdriver.exe
| MD5 | 90aac6489f6b226bf7dc1adabfdb1259 |
| SHA1 | c90c47b717b776922cdd09758d2b4212d9ae4911 |
| SHA256 | ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549 |
| SHA512 | befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEWX64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\_ISMSIDEL.INI
| MD5 | 95e38dde27a78e6fd58474313db57d5f |
| SHA1 | c55d01ceea92f3f9b2464515d6d53f3dbcffab4d |
| SHA256 | d573da8de5b5544e8dbc883b4f689261060e19a3a6961672471ed60ac24a8dbf |
| SHA512 | e2a7b3802e33b2e01adc6a179ed45d3cbef111e31a254b994b79f47aa214a003b2a524a6c4e89c2ed853532c40141c41c54655629888041e92e43f94d52fb4e1 |
C:\Users\Admin\AppData\Local\Temp\{7F846EDC-9AFD-43D4-962F-392FF39A251B}\_ISMSIDEL.INI
| MD5 | c10f0c1c213324eb2d479d8617a58197 |
| SHA1 | 5d830ffc7950e47de2a7f9efafca8425c37a382c |
| SHA256 | 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be |
| SHA512 | 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702 |