Analysis Overview
SHA256
dd006c90365637e902e928053efe8113474b928abca336497762ca580b14476b
Threat Level: Known bad
The file NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Glupteba
Djvu Ransomware
NetSupport
Glupteba payload
SmokeLoader
RedLine payload
RedLine
Detected Djvu ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
Checks computer location settings
Deletes itself
Loads dropped DLL
Modifies file permissions
UPX packed file
Checks BIOS information in registry
Executes dropped EXE
Themida packer
Adds Run key to start application
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Looks up external IP address via web service
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_win_path
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
outlook_office_path
Suspicious behavior: GetForegroundWindowSpam
Modifies registry key
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-17 18:06
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-17 18:06
Reported
2023-10-17 18:10
Platform
win7-20230831-en
Max time kernel
149s
Max time network
176s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\709F.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\709F.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\709F.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\709F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8376.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8F8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jahgwbf | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8F8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8376.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\99fdf5cd-09be-47ec-a78a-47a2ffd29549\\69DA.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\69DA.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\709F.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\709F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2544 set thread context of 2204 | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | C:\Users\Admin\AppData\Local\Temp\69DA.exe |
| PID 2424 set thread context of 2576 | N/A | C:\Users\Admin\AppData\Local\Temp\7A32.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1272 set thread context of 484 | N/A | C:\Users\Admin\AppData\Local\Temp\69DA.exe | C:\Users\Admin\AppData\Local\Temp\69DA.exe |
| PID 3008 set thread context of 1800 | N/A | C:\Users\Admin\AppData\Local\Temp\709F.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jahgwbf | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jahgwbf | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\jahgwbf | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\jahgwbf | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\709F.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B8F8.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\B8F8.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\69DA.exe
C:\Users\Admin\AppData\Local\Temp\69DA.exe
C:\Users\Admin\AppData\Local\Temp\69DA.exe
C:\Users\Admin\AppData\Local\Temp\69DA.exe
C:\Users\Admin\AppData\Local\Temp\709F.exe
C:\Users\Admin\AppData\Local\Temp\709F.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7679.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7679.dll
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\99fdf5cd-09be-47ec-a78a-47a2ffd29549" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\7A32.exe
C:\Users\Admin\AppData\Local\Temp\7A32.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\8376.exe
C:\Users\Admin\AppData\Local\Temp\8376.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\Temp\B8F8.exe
C:\Users\Admin\AppData\Local\Temp\B8F8.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\69DA.exe
"C:\Users\Admin\AppData\Local\Temp\69DA.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\taskeng.exe
taskeng.exe {A0B7B7FC-1160-4C25-BCD7-474EE18474C6} S-1-5-21-607259312-1573743425-2763420908-1000:NGTQGRML\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\69DA.exe
"C:\Users\Admin\AppData\Local\Temp\69DA.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Roaming\jahgwbf
C:\Users\Admin\AppData\Roaming\jahgwbf
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231017181025.log C:\Windows\Logs\CBS\CbsPersist_20231017181025.cab
C:\Users\Admin\AppData\Local\Temp\B8F8.exe
"C:\Users\Admin\AppData\Local\Temp\B8F8.exe"
C:\Users\Admin\AppData\Local\fe58b196-4560-4eff-bdc6-f3dc8284d93b\build2.exe
"C:\Users\Admin\AppData\Local\fe58b196-4560-4eff-bdc6-f3dc8284d93b\build2.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 172.67.213.185:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FR | 51.254.67.186:16176 | tcp | |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| AL | 95.107.163.44:80 | zexeq.com | tcp |
| MX | 187.204.68.14:80 | colisumy.com | tcp |
| AL | 95.107.163.44:80 | zexeq.com | tcp |
Files
memory/2892-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2892-1-0x0000000000900000-0x0000000000A00000-memory.dmp
memory/2892-3-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/2892-5-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/1204-4-0x00000000029E0000-0x00000000029F6000-memory.dmp
memory/2892-8-0x0000000000220000-0x000000000022B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2544-21-0x0000000000280000-0x0000000000312000-memory.dmp
memory/2544-22-0x0000000000280000-0x0000000000312000-memory.dmp
memory/2204-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2544-23-0x0000000001ED0000-0x0000000001FEB000-memory.dmp
memory/2204-28-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2544-31-0x0000000000280000-0x0000000000312000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2204-32-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2204-33-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\709F.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3008-38-0x0000000000A50000-0x00000000011F8000-memory.dmp
memory/3008-39-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-40-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-41-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-42-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-56-0x0000000077E30000-0x0000000077E32000-memory.dmp
memory/3008-55-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-54-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-53-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-52-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-51-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-50-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-49-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-48-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-47-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-46-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-45-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-44-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-43-0x0000000077570000-0x00000000775B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7679.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
\Users\Admin\AppData\Local\Temp\7679.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
C:\Users\Admin\AppData\Local\Temp\7A32.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
C:\Users\Admin\AppData\Local\Temp\7A32.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/1012-84-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/3008-85-0x0000000000A50000-0x00000000011F8000-memory.dmp
memory/1012-89-0x0000000000340000-0x0000000000346000-memory.dmp
memory/3008-88-0x00000000747E0000-0x0000000074ECE000-memory.dmp
memory/2204-90-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8376.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\8376.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3008-97-0x0000000000A50000-0x00000000011F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\99fdf5cd-09be-47ec-a78a-47a2ffd29549\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1012-101-0x0000000002080000-0x000000000219B000-memory.dmp
memory/2576-102-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2576-103-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3008-105-0x0000000077570000-0x00000000775B7000-memory.dmp
memory/2576-104-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2576-107-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3008-110-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/3008-108-0x00000000770C0000-0x00000000771D0000-memory.dmp
memory/2576-111-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2576-112-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1012-113-0x00000000021A0000-0x000000000229F000-memory.dmp
memory/1012-116-0x00000000021A0000-0x000000000229F000-memory.dmp
memory/1012-117-0x00000000021A0000-0x000000000229F000-memory.dmp
memory/3008-118-0x00000000747E0000-0x0000000074ECE000-memory.dmp
memory/2576-120-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2576-122-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2576-123-0x00000000747E0000-0x0000000074ECE000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2204-127-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\B8F8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\Local\Temp\B8F8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/2864-136-0x00000000027E0000-0x0000000002BD8000-memory.dmp
memory/2864-139-0x00000000027E0000-0x0000000002BD8000-memory.dmp
memory/2864-140-0x0000000002BE0000-0x00000000034CB000-memory.dmp
memory/2864-141-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/1744-143-0x0000000000070000-0x0000000000077000-memory.dmp
memory/1744-144-0x0000000000060000-0x000000000006C000-memory.dmp
memory/1744-142-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2576-146-0x00000000747E0000-0x0000000074ECE000-memory.dmp
memory/1744-145-0x0000000000070000-0x0000000000077000-memory.dmp
memory/2864-149-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2864-150-0x00000000027E0000-0x0000000002BD8000-memory.dmp
memory/3008-151-0x0000000005680000-0x00000000056C0000-memory.dmp
memory/2576-152-0x0000000000710000-0x0000000000750000-memory.dmp
memory/2240-154-0x00000000000F0000-0x0000000000165000-memory.dmp
memory/2240-155-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/2240-156-0x0000000000080000-0x00000000000EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2864-159-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2240-172-0x0000000000080000-0x00000000000EB000-memory.dmp
memory/3008-173-0x0000000005680000-0x00000000056C0000-memory.dmp
memory/2576-174-0x0000000000710000-0x0000000000750000-memory.dmp
\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2204-180-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1272-182-0x0000000000330000-0x00000000003C2000-memory.dmp
memory/3008-185-0x0000000000440000-0x000000000045C000-memory.dmp
memory/2864-187-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8F8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1272-191-0x0000000000330000-0x00000000003C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\69DA.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/484-197-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 508e58d63559d8f9e38a6eefa028e871 |
| SHA1 | 846b4e22ab90cec7963572efb52e673db1c323e8 |
| SHA256 | 5c50780d809f71fb9b08c05f00dc63b25fd74d7e6528f979bd4bf4b7e9e964a8 |
| SHA512 | 45e327110d0825009587c3d3f9ea182cff5852eb1341c5b5f1c95ff902d5672eb94d2d76aa3960cc8ddd48663ef0e969af1816f61e9ffcdfdb4fc80f049d3eeb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | c35678bde22edcdbd73bf85248996c03 |
| SHA1 | 730ce27a1ad5492442b65d22074e12ae15a80cf7 |
| SHA256 | 356b1047ceeb2559775707f6e5cac16c8fcdda0a32b6f9f1c995c525009bcbe9 |
| SHA512 | 46ae3ab723b692092c06521bcfcee4af876f65d3552f129b6908f554ec9c041582c177949135754639caae13fbabdc01e679cd668d44db13cbdd001b1317e324 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 2bed60a099c0befd2290e853fda1ebe4 |
| SHA1 | 7d82760a043dec0ffac504af846470fd78bca454 |
| SHA256 | 12665ee468ad8339a36cea221c088f5816d2ec30819c76c7ba2cdb36f9d0b44f |
| SHA512 | 39a5623568a7deddb88b1811acb610d9af2b7fc57e7512a11bdf1597ae6fa223e2c74116d1d8dc392b2b7b65f021c23aa5f26255607b37712a2754710d4ffb98 |
C:\Users\Admin\AppData\Local\Temp\Cab81CD.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 25b9bc84827417f40de8f86219108641 |
| SHA1 | 1dfed21dec6b51dda82e9f89cbac3794397ee8f3 |
| SHA256 | 11c58f138723424ac65eb7fbdbdd30cdb5172c850f3f68becbbbd532f42a386e |
| SHA512 | cf2c750618596d2a7ae89f0004443cd0e1e72d2d1a1eee33caf07d2eebfbc5513575b2acc59215033c2ad1f5f60fcae1bdc2c834d6f1f833206b7b570cdf29c1 |
memory/2864-211-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Roaming\jahgwbf
| MD5 | 74850f2bb7249ed842da5aa5f35e160f |
| SHA1 | f3676a0125b06ae56e212a9c81b80ad1aa926186 |
| SHA256 | dd006c90365637e902e928053efe8113474b928abca336497762ca580b14476b |
| SHA512 | bf830705fc88e9adf95bde0d78f65cdbd2c8bd115f45b5359f7be871157863f21248c077e2bd02b62ced7e67491a5fc1b2707c14ab3e47f6f00d321fbdbac228 |
C:\Users\Admin\AppData\Roaming\jahgwbf
| MD5 | 74850f2bb7249ed842da5aa5f35e160f |
| SHA1 | f3676a0125b06ae56e212a9c81b80ad1aa926186 |
| SHA256 | dd006c90365637e902e928053efe8113474b928abca336497762ca580b14476b |
| SHA512 | bf830705fc88e9adf95bde0d78f65cdbd2c8bd115f45b5359f7be871157863f21248c077e2bd02b62ced7e67491a5fc1b2707c14ab3e47f6f00d321fbdbac228 |
memory/3008-216-0x0000000000440000-0x0000000000455000-memory.dmp
memory/3008-217-0x0000000000440000-0x0000000000455000-memory.dmp
memory/3008-225-0x0000000000440000-0x0000000000455000-memory.dmp
memory/3008-223-0x0000000000440000-0x0000000000455000-memory.dmp
memory/3008-221-0x0000000000440000-0x0000000000455000-memory.dmp
memory/3008-219-0x0000000000440000-0x0000000000455000-memory.dmp
memory/2796-242-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/2796-241-0x0000000000270000-0x0000000000370000-memory.dmp
memory/3008-243-0x00000000004A0000-0x00000000004A1000-memory.dmp
memory/484-244-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1800-257-0x00000000747E0000-0x0000000074ECE000-memory.dmp
memory/1800-256-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3008-258-0x0000000005680000-0x00000000056C0000-memory.dmp
memory/1800-259-0x0000000007160000-0x00000000071A0000-memory.dmp
memory/2796-265-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/3008-269-0x00000000770C0000-0x00000000771D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8F8.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-17 18:06
Reported
2023-10-17 18:09
Platform
win10v2004-20230915-en
Max time kernel
84s
Max time network
154s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NetSupport
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\7EB2.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7EB2.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\7EB2.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8A6D.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7EB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82CA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8A6D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9078.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\495494f6-2be5-42f3-a0b3-546aac95ef63\\7AF7.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7EB2.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7EB2.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1688 set thread context of 2272 | N/A | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | C:\Users\Admin\AppData\Local\Temp\7AF7.exe |
| PID 4596 set thread context of 2808 | N/A | C:\Users\Admin\AppData\Local\Temp\7AF7.exe | C:\Users\Admin\AppData\Local\Temp\7AF7.exe |
| PID 3712 set thread context of 4724 | N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7AF7.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9078.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9078.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9078.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9078.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\9721.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASdd006c90365637e902e928053efe8113474b928abca336497762ca580b14476bexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
C:\Users\Admin\AppData\Local\Temp\7EB2.exe
C:\Users\Admin\AppData\Local\Temp\7EB2.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\81C0.dll
C:\Users\Admin\AppData\Local\Temp\82CA.exe
C:\Users\Admin\AppData\Local\Temp\82CA.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\81C0.dll
C:\Users\Admin\AppData\Local\Temp\8A6D.exe
C:\Users\Admin\AppData\Local\Temp\8A6D.exe
C:\Users\Admin\AppData\Local\Temp\9078.exe
C:\Users\Admin\AppData\Local\Temp\9078.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\495494f6-2be5-42f3-a0b3-546aac95ef63" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\9721.exe
C:\Users\Admin\AppData\Local\Temp\9721.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
"C:\Users\Admin\AppData\Local\Temp\7AF7.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
"C:\Users\Admin\AppData\Local\Temp\7AF7.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2808 -ip 2808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 572
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\9721.exe
"C:\Users\Admin\AppData\Local\Temp\9721.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\3E3F.exe
C:\Users\Admin\AppData\Local\Temp\3E3F.exe
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\3E3F.exe
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\3E3F.exe /q"C:\Users\Admin\AppData\Local\Temp\3E3F.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}" /IS_temp
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\SysWOW64\MSIEXEC.EXE
"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\Unpluralized Antifrost.msi" /qn SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="3E3F.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0FE784B2090025EB92300CABD17CA990
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C91A875-64B9-4869-9320-B3D4D4564986}
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C7B62361-148D-4131-A371-EA2899B6CDF1}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D3C4569-1AD3-41C0-A44D-2C11EE530485}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9ACF9DED-A067-4492-9CF7-CFE84032EC29}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B4069A7-298B-4052-8E13-7D27FFE12E46}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5A8405A6-2EB5-490C-A639-D0D2CF216EC3}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10C09A88-AAC2-4486-BB3A-2EE4643E8D26}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BE1E3A94-FB1D-4D05-83FC-F98B6263D2E8}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F9E20491-48A7-4C9C-9ADA-1C51AD2C04E7}
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0517ACF5-D556-4E8D-92F6-20CE48299546}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c LZMAdriver.exe x dism.7z -o%ProgramData% -pJWWF92HAadWoSJXC
C:\ProgramData\LZMAdriver.exe
LZMAdriver.exe x dism.7z -oC:\ProgramData -pJWWF92HAadWoSJXC
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d %ProgramData%\Dism\CompatProvider.exe /f
C:\Windows\SysWOW64\reg.exe
reg add HKCU\Environment /v UserInitMprLogonScript /t REG_SZ /d C:\ProgramData\Dism\CompatProvider.exe /f
C:\ProgramData\Dism\CompatProvider.exe
C:\ProgramData\Dism\CompatProvider.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rmdir /s /q "C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.209.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.34.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 31.41.244.27:41140 | tcp | |
| US | 8.8.8.8:53 | 27.244.41.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wirtshauspost.at | udp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | 37.203.224.190.in-addr.arpa | udp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | toennjeskenya.com | udp |
| GB | 77.95.113.16:443 | toennjeskenya.com | tcp |
| US | 8.8.8.8:53 | 16.113.95.77.in-addr.arpa | udp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| AR | 190.224.203.37:80 | wirtshauspost.at | tcp |
| US | 8.8.8.8:53 | b35ee75c-909d-4939-91e2-d0c176a24f1e.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | server1.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| IN | 172.253.121.127:19302 | stun1.l.google.com | udp |
| BG | 185.82.216.108:443 | server1.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.121.253.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | glaciecrw.cfd | udp |
| RO | 185.225.17.47:136 | glaciecrw.cfd | tcp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | 47.17.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.138.172.62.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server1.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/2312-1-0x0000000000AC0000-0x0000000000BC0000-memory.dmp
memory/2312-2-0x0000000000A70000-0x0000000000A7B000-memory.dmp
memory/2312-3-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/2312-9-0x0000000000A70000-0x0000000000A7B000-memory.dmp
memory/2312-5-0x0000000000400000-0x00000000007CC000-memory.dmp
memory/3188-4-0x0000000003410000-0x0000000003426000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/1688-21-0x00000000022F0000-0x000000000238F000-memory.dmp
memory/1688-22-0x0000000002390000-0x00000000024AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2272-23-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2272-25-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7EB2.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
C:\Users\Admin\AppData\Local\Temp\7EB2.exe
| MD5 | 77f6f0504e40c95483da601ee1de4a4e |
| SHA1 | 628094e713d9f970b63091f6dec44f8feb6e26b2 |
| SHA256 | ad6a9a78ad3c6dceb908df1a46665b85c91888b4915fd514c0305048d8e8c111 |
| SHA512 | 7e01b7917d61054360ef451a0a4a4be856e04bda77082fd63beae43e345af61c10d11f64021182913f74248b41b037a40d83e9cb6f2897a99001591bd2595b63 |
memory/3712-30-0x0000000000D80000-0x0000000001528000-memory.dmp
memory/2272-31-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3712-32-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3712-33-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3712-35-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3712-36-0x00000000779B0000-0x0000000077AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\81C0.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/3712-39-0x00000000779B0000-0x0000000077AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\82CA.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/3712-45-0x00000000779B0000-0x0000000077AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\82CA.exe
| MD5 | 9a31a97c4280c2f132874184bc1864eb |
| SHA1 | 424f3577733ecdf081cff3c0b765668fa94bf106 |
| SHA256 | d50a823a85ebd19a7e61abd091d90b5735c78a4f9f0f32f99c05846c2be45681 |
| SHA512 | 01facbb50b5cc39e2f91f79e0c3b0448a5804650459c06ee1287f587376df474b30348d825efc8ea6fe2773762db5cad328dc07df53c1273208692d4662dd87c |
memory/3712-46-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/2272-44-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3712-37-0x00000000779B0000-0x0000000077AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\81C0.dll
| MD5 | a43d9991721fcd1521677bf31c21ce21 |
| SHA1 | 0e86179bdcf8685b9bd7da13cd9aa10218f0d81c |
| SHA256 | 6561ae7f88e51c053e856b98418192ff7aa85a4f7a16460fb769073fe4535197 |
| SHA512 | 233bf239b73e9b398d2666ab21cd3ecf930b98c935cbe5e7d5f325fb8bdb9b7ec064a4aecc73228fbb9c35a9f0dd1503e2f66b6f18e5931d0f4567fc2dc02459 |
memory/3712-47-0x0000000077B24000-0x0000000077B26000-memory.dmp
memory/3040-50-0x0000000010000000-0x00000000101E3000-memory.dmp
memory/3040-49-0x0000000000460000-0x0000000000466000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8A6D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3712-60-0x0000000000D80000-0x0000000001528000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8A6D.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3712-64-0x0000000006330000-0x00000000068D4000-memory.dmp
memory/3712-65-0x0000000005E60000-0x0000000005EF2000-memory.dmp
memory/3712-68-0x00000000060A0000-0x000000000613C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\9078.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\9078.exe
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3712-83-0x0000000006030000-0x000000000603A000-memory.dmp
memory/3040-84-0x0000000002200000-0x000000000231B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9721.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/3416-92-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/3064-93-0x0000000000630000-0x000000000069B000-memory.dmp
memory/3416-90-0x00000000021C0000-0x00000000021CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9721.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/3416-87-0x0000000000720000-0x0000000000820000-memory.dmp
memory/3712-95-0x0000000000D80000-0x0000000001528000-memory.dmp
memory/3712-97-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3712-96-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3712-98-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3196-100-0x0000000000F70000-0x0000000000F7C000-memory.dmp
memory/3064-101-0x0000000000630000-0x000000000069B000-memory.dmp
memory/3712-104-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3712-107-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3196-102-0x0000000000F70000-0x0000000000F7C000-memory.dmp
memory/3712-108-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3712-112-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/3040-119-0x0000000002320000-0x000000000241F000-memory.dmp
memory/3064-99-0x00000000006A0000-0x0000000000720000-memory.dmp
memory/3040-131-0x0000000002320000-0x000000000241F000-memory.dmp
memory/3712-133-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/4220-134-0x0000000002AC0000-0x0000000002EC3000-memory.dmp
memory/2272-132-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4220-135-0x0000000002ED0000-0x00000000037BB000-memory.dmp
memory/4220-138-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Local\495494f6-2be5-42f3-a0b3-546aac95ef63\7AF7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/3064-141-0x0000000000630000-0x000000000069B000-memory.dmp
memory/3188-142-0x0000000003240000-0x0000000003256000-memory.dmp
memory/3416-145-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/3040-139-0x0000000002320000-0x000000000241F000-memory.dmp
memory/2272-146-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/4596-150-0x0000000002160000-0x0000000002201000-memory.dmp
memory/2808-154-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2808-153-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7AF7.exe
| MD5 | 3d0534c699f0f264c2ecedebb5cf3af8 |
| SHA1 | f0cb1804fe81dba82b085e51d64953a77dc5e174 |
| SHA256 | e4f573f8d774dce16cdd944525f599465be442656870081fb66f91dd2b7db230 |
| SHA512 | 69d8c00bc663cea2c5deca5bdc24b59f1e82d5439676b9eb2a719902c273d5611c2cfc00b72c750411f06361b74ace3e8b16ae3c20a755418f5432479603b62d |
memory/2808-156-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3712-159-0x0000000006080000-0x000000000609C000-memory.dmp
memory/3712-161-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-162-0x0000000006080000-0x0000000006095000-memory.dmp
memory/4220-160-0x0000000000400000-0x0000000000D6F000-memory.dmp
memory/2868-165-0x0000000002AC0000-0x0000000002AF6000-memory.dmp
memory/3712-168-0x0000000006080000-0x0000000006095000-memory.dmp
memory/4220-166-0x0000000002AC0000-0x0000000002EC3000-memory.dmp
memory/3712-164-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-170-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-172-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-174-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-177-0x0000000006080000-0x0000000006095000-memory.dmp
memory/2868-176-0x0000000005220000-0x0000000005848000-memory.dmp
memory/2868-178-0x00000000739B0000-0x0000000074160000-memory.dmp
memory/2868-180-0x0000000002AB0000-0x0000000002AC0000-memory.dmp
memory/2868-182-0x0000000002AB0000-0x0000000002AC0000-memory.dmp
memory/3712-184-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-186-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-181-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-188-0x0000000006080000-0x0000000006095000-memory.dmp
memory/3712-190-0x0000000006080000-0x0000000006095000-memory.dmp
memory/2868-192-0x00000000051D0000-0x00000000051F2000-memory.dmp
memory/4724-191-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2868-195-0x00000000059C0000-0x0000000005A26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iplqedwl.y5a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3712-201-0x0000000000D80000-0x0000000001528000-memory.dmp
memory/3712-205-0x00000000779B0000-0x0000000077AA0000-memory.dmp
memory/4724-210-0x00000000077E0000-0x00000000077F0000-memory.dmp
memory/3712-204-0x0000000006200000-0x0000000006210000-memory.dmp
memory/2868-211-0x0000000005C90000-0x0000000005FE4000-memory.dmp
memory/4724-203-0x00000000739B0000-0x0000000074160000-memory.dmp
memory/2868-202-0x0000000005A30000-0x0000000005A96000-memory.dmp
memory/4724-212-0x0000000008910000-0x0000000008F28000-memory.dmp
memory/4724-213-0x0000000007AC0000-0x0000000007AD2000-memory.dmp
memory/4724-214-0x0000000007BF0000-0x0000000007CFA000-memory.dmp
memory/2868-215-0x00000000060A0000-0x00000000060BE000-memory.dmp
memory/4220-227-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Roaming\cgaftfh
| MD5 | a6cc2635415872e2cfa5bc586b8d5ac1 |
| SHA1 | 1ab7f97be976876998982fef5a4f54f29325ff10 |
| SHA256 | 2c7f187a9372f97c7cb6cdc8143a832d2790188bf194f251460ac990b9074d5e |
| SHA512 | cdf59bea2bfc872b8b39d5553c9b91292afcd73e3c9bf7a95ce14734052e6718cbc6379358447b115dbd2967ad3bd933e135b7e7c40d98ddaca7f50c1ac0f7ad |
C:\Users\Admin\AppData\Local\Temp\9721.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
memory/4220-296-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 665ebd23e7b9b962d7ec1244fa6d1ff7 |
| SHA1 | 406b3cc6e466f6b5326ed28fa6d9d33ffb42c1db |
| SHA256 | 27bc97c7902e9748206c353d972f559990fb1f28507c2f5e41abe06c924d1662 |
| SHA512 | d16724a875487ecf171c3a810f90650dd3401fb249380b6c1e3b2258680f5dced87ada14a5e5b4acc2902637aaefebd01e21dc49256779bd7d1b9411fb801b59 |
memory/892-315-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 07c9b7569779215b2cb12d7ef7fecf2d |
| SHA1 | ce8c37adfb311f37f4ce6da25c1e787f21da5647 |
| SHA256 | 7bcdcbf02393ca1944213bcc013e0ab5af504946e21dcf3aeab29aa7612959eb |
| SHA512 | 612019df8e4b6996691ad1e3bf8734afda97866f5f9e699843f00fdeaf45f9d83fbaa666acb983a1cad7d2c31a35a4fd5f9410b32bc0ccde2cd5eda76d5e2f28 |
C:\Users\Admin\AppData\Local\Temp\3E3F.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\3E3F.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\3E3F.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\3E3F.exe
| MD5 | 646396a1f9b3474ad8533953a3583b4b |
| SHA1 | 9cc3b41381d97196f93d2d551492909d82f58dde |
| SHA256 | 3407337dea12501ed2d524ed049d69a8e188bcd585f1a4055b60d4369cfc348b |
| SHA512 | 223190dce842653d2adb18dfc2f757f67cd05d313ec312f82dabbfc07c7ec9236807974b8797001afdaede968dba9ec82e4c7fb8ffff49be646fd442533031fa |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\_ISMSIDEL.INI
| MD5 | 3d93149e735617326ab75fb3b04540c4 |
| SHA1 | e9d4468ea3b8e93e803876bb92c1f488264320b3 |
| SHA256 | a2ca533ad0e5bbe8d29ca5440cd23202234019ffed133866a7d7ae0d284910fd |
| SHA512 | 0a756297a872ee02fc1e2865d290e744aaa2bb338ba0f03c6e8bd324ce711d0a05412ee895952a41db62cbaf0550205f3dc9547d74e00537839f72ae56bc08e2 |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\Setup.INI
| MD5 | 236e86a73aa13283f042a8e0e37d817b |
| SHA1 | ccde2476172fba63fc37d4472ad164239d91722f |
| SHA256 | f4f66390a1bb0c30a78df0caf277bdd0111fecb9f53099663f56def6038cb1bf |
| SHA512 | 2a334c02b5c3d67287c49deee07f36d423176aaf51187f9edaafb73798d3a8a56c8e7c677326cc355ca4bbb4b4a851875b9c4318c78a55f3f17d0243ed1427e7 |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\0x0409.ini
| MD5 | a108f0030a2cda00405281014f897241 |
| SHA1 | d112325fa45664272b08ef5e8ff8c85382ebb991 |
| SHA256 | 8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948 |
| SHA512 | d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298 |
memory/892-395-0x0000000000400000-0x0000000000D6F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\iss49C3.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Windows\rss\csrss.exe
| MD5 | 71b9cd84ec146c642e076dfb2a87c31a |
| SHA1 | 18f593471c238beb864de6425c0343cbb0ea8597 |
| SHA256 | 19c9a046edef05ab14dcb86a46de9361190b07b0ef628771a00a36564192d309 |
| SHA512 | af8402aa35dc3f2fd112359c0a34187756e258f96f67775513b7df2ddaf0f0b7887f730b877ba16ccd8fa5f95f54a47355dacc226f5c6c5cdf2aa7b596a6872c |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\Unpluralized Antifrost.msi
| MD5 | 384fdf7735b3ee70fec5dcf26a680bd3 |
| SHA1 | 0ea8725216826551e54236021a6a1df1092b098c |
| SHA256 | 74e1b2835493fb60fcdc917386c8ae42286eca322e8cc0b0c6456eb727cb959f |
| SHA512 | 36ec03bdc5b1a3ba356692a69ecd9dd6169ede8782ff41c52b114229dcbfec162b1b31cf863af2435f6b976407025fd62abab0ca540515b47aa82d0cff1dc4e8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 95792d10d54d9df28bddb63b85ec2ce5 |
| SHA1 | dfec092fe8d2acf5e34ff8ec7f8aac80fe569055 |
| SHA256 | aa751c3d3d61233006cebb12144944be7a5f77a89fd80e497b03e636f4535cd0 |
| SHA512 | 517dad8e2cd556d826eaf65dffbe0de278b7f494ae1d026457bc2684d67e00795a586e85dc59352995f4595bfe94142d9a10804661b2d47e1ccbd05424c2cc5e |
C:\Windows\Installer\e595f7b.msi
| MD5 | 384fdf7735b3ee70fec5dcf26a680bd3 |
| SHA1 | 0ea8725216826551e54236021a6a1df1092b098c |
| SHA256 | 74e1b2835493fb60fcdc917386c8ae42286eca322e8cc0b0c6456eb727cb959f |
| SHA512 | 36ec03bdc5b1a3ba356692a69ecd9dd6169ede8782ff41c52b114229dcbfec162b1b31cf863af2435f6b976407025fd62abab0ca540515b47aa82d0cff1dc4e8 |
C:\Config.Msi\e595f7e.rbs
| MD5 | 2e0bd44078f59b515a3f1175243cc59f |
| SHA1 | ad4b129e39453a627164f6bcb0ce2c11bb4f4761 |
| SHA256 | 861bd19d1eb36839a621881a299a95f68780865b46e6a5d3db9f5902b8086929 |
| SHA512 | 4d32544bac05fe8e9585be9842f5db5661de38594906553bb4dd809a37cebc87697a355c56ce427637c1ea69a492dac7a4d031357af40ac1040d3b4977bacc0f |
C:\Windows\Installer\MSI71FB.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Windows\Installer\MSI71FB.tmp
| MD5 | 68b9e8b86c2bddab0ddf6d0f5c557a90 |
| SHA1 | 259fc4e76e750ffc3d1a19f4542a8af0491d14f5 |
| SHA256 | de6649c3a2ee6369b6b7e085b381c6d9fe17d4ba257f80666ef4a2106dc9940a |
| SHA512 | e614e1e31580fc5d262e19d30f7a96d87b1b32b4e9801f906436a59d7fc5002ac588506c0ea6f5a2bbc30641574b6a4e2a167e97fe1343219d5909ebb192986d |
C:\Users\Admin\AppData\Local\Temp\{8E612A24-7A57-458B-A70B-4B5F6AFB75E9}\IsConfig.ini
| MD5 | b8a50c79678751b15c66fe334eb70c5d |
| SHA1 | aef26fd251878641ec06bad186cfd993b079d8b4 |
| SHA256 | 3278a60cfc42badbb51c967cfcc6a6be9603976eb83b68144dafc996cc3a7b23 |
| SHA512 | 0160aa0b583346ca6d62afdf19914c037583f05c709183e9b0adc636d9211a1f6cfedc35cb4e7d4bf291fe33034cd3766b26ece389db4c40fb687acffb5ca59c |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\setup.inx
| MD5 | 59c61e5180b22d32fbb3109e6898796b |
| SHA1 | 1c409028cbe6ce101d54777ec35634d0af785241 |
| SHA256 | 97a5dcfea923ceaaa85176dace8889660b1a0719c8a37730bc845e7a35ef48cc |
| SHA512 | ea499964355389cdfa3fef3c2e3b1e2da1f9533da08c9b28ed26dd7a68678ad07bee55148b040611da33e944b4af90b282cfcb47d30227b41753390d1a3c6686 |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | fed84dc8e74b1ebc5aa332159b8459b4 |
| SHA1 | 736ceb15e1946ad1db461836646cf2dc6b95bc48 |
| SHA256 | 7ffee9c9f5309ffeae68c0b603f530c62755edc6d100f9f469d2b5f506606aa4 |
| SHA512 | 0b4f0f563e83f59418a6b5033162f8ca9f33a668d893400be5242a90748360a57c163f3a953139869398d8e4e855a70b58d6462d16fc66aed094efc0bd1f9bed |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISRT.dll
| MD5 | 251e8cc2d5611135d1cafdf6ca0994c2 |
| SHA1 | 27eefaa67d541bfc9ddca74f69d6fd5f83ec1165 |
| SHA256 | fb4f99cd0da2a02975e84206a39202eee74f0384846f2caf4417704f44e254e9 |
| SHA512 | 92cd57a98edaba3ab25be5e920e73c3486afd5433f05ba9129708520addc8dab29c779c55c4c78904001da37047b8604e322396f3bd5a0dd8b13247182abaa3f |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISRT.dll
| MD5 | 251e8cc2d5611135d1cafdf6ca0994c2 |
| SHA1 | 27eefaa67d541bfc9ddca74f69d6fd5f83ec1165 |
| SHA256 | fb4f99cd0da2a02975e84206a39202eee74f0384846f2caf4417704f44e254e9 |
| SHA512 | 92cd57a98edaba3ab25be5e920e73c3486afd5433f05ba9129708520addc8dab29c779c55c4c78904001da37047b8604e322396f3bd5a0dd8b13247182abaa3f |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\_isres_0x0409.dll
| MD5 | f8ecf9191547edc4e6bef5aeeac5dab7 |
| SHA1 | 3d616332bed37028155e825a092702d020e2c405 |
| SHA256 | 505916e8b40fdd031ee21eea40a8bee0adeac0d04e23c3a6b10ecee0217d2416 |
| SHA512 | 67e09df9b14c5dd8c70f2e7da73e7189e08ab73192dc9bf8e8a31261ae89303ded441f038ea314571775ec8c677f63eee5990e38094c99ab70675bc4981fac4e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEW64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\String1033.txt
| MD5 | 2f03bc3279c252e3407ac15607a0f697 |
| SHA1 | a81e6132d0df1f41f05eeceb301cf349016a0ccd |
| SHA256 | 6eb5f4d762f690fce2061611a5b2ba25caeb99ac59ad76c0f99325189faba7ad |
| SHA512 | dafeb4be33a28a29c3327c06c1bf6c42dc39da1e7e09ead9928d26a234885182c6b270642d836f36bca33c2b3e6e9631710b07abd6bf68286b2d8703b8e32ac8 |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\IsConfig.ini
| MD5 | b8a50c79678751b15c66fe334eb70c5d |
| SHA1 | aef26fd251878641ec06bad186cfd993b079d8b4 |
| SHA256 | 3278a60cfc42badbb51c967cfcc6a6be9603976eb83b68144dafc996cc3a7b23 |
| SHA512 | 0160aa0b583346ca6d62afdf19914c037583f05c709183e9b0adc636d9211a1f6cfedc35cb4e7d4bf291fe33034cd3766b26ece389db4c40fb687acffb5ca59c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1b5f504af57936371caebceb818bca08 |
| SHA1 | 8eba9d2fc342158102fbd241e491735f8cf6583b |
| SHA256 | ecec876c9f3ad3327d398396025597d0d6c61ed6c9a0aae907ffce3dd717536d |
| SHA512 | f4b60a70739c9d7d5bf68e158c11ccb996d2acc1229327dade7889ef699a61469af770b777a3672ced2665d5330e83ce03140a38a907b767bf18890e35b1c11e |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\ProgramData\LZMAdriver.exe
| MD5 | 90aac6489f6b226bf7dc1adabfdb1259 |
| SHA1 | c90c47b717b776922cdd09758d2b4212d9ae4911 |
| SHA256 | ba7f3627715614d113c1e1cd7dd9d47e3402a1e8a7404043e08bc14939364549 |
| SHA512 | befaa9b27dc11e226b00a651aa91cbfe1ec36127084d87d44b6cd8a5076e0a092a162059295d3fcd17abb6ea9adb3b703f3652ae558c2eef4e8932131397c12d |
C:\ProgramData\dism.7z
| MD5 | 448f836c5e5e1d54623d063454ff0d76 |
| SHA1 | 12e8d15c305ddf66584e0bfd49dac48549b70b69 |
| SHA256 | eeb5af29a7febfcbac2c6820249cb3dcf67c13be19a6d387b0fbeaf281bcc51b |
| SHA512 | 332052fc89ec16168f8b839b54ed79957e4564d0d63d0704b1e3f19ace32ef2496636a5cd2370f87a5744654050440ee481dfd8a2f82f2ae666d478cce7b804c |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Users\Admin\AppData\Local\Temp\{27995FDB-07E2-4116-9D7F-99547143874B}\ISBEWX64.exe
| MD5 | cdca6b9847782f40415b3a97b8011b8d |
| SHA1 | 87ce7eba5c7bf02f55d76cfede5370dededdb87c |
| SHA256 | 8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9 |
| SHA512 | 677ef5de435f9c7e4a22f334bba7b63ac0b2523228b1ead867386a092ba34687c86e0499800c7922b0b223137f72c3e89b7c880c5353fbdd705cf00e50bffc2e |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\_ISMSIDEL.INI
| MD5 | 1618619fa33e666462d1cbfa81e1625b |
| SHA1 | 05c615e748defd31478f16ba96940e0f555c7828 |
| SHA256 | a607592e3c7fa472357577975cb72840a9ffd127fee3df5948adc602c9c28748 |
| SHA512 | c5c691e47a0679c4f9046622a0c7a756f5135695e87cee51cbc9f75792796bf975cdfabfa7d035a293e6d924bde17922fe577e9661c4c8410b23be7eed791997 |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\_ISMSIDEL.INI
| MD5 | ea1189957183693c5803bb3eacc06854 |
| SHA1 | c7124f29416e518851eedc6f9871abc1e167ae31 |
| SHA256 | 37979669376353b1b10925842788ea8b2c45ee4f2b22285c3a217cd93aa0f93a |
| SHA512 | 1ac8c5c18e14a05b5ee2f7be26d6a808b28e71b41be7f82ba854fb922c966a67fd9c42673638c4cb96611a52f8423920c1fa3417437ae0cccf8b106ff9d4d58f |
C:\Users\Admin\AppData\Local\Temp\{D7A24D9E-7E2F-4FA6-8B11-22E489823FE3}\_ISMSIDEL.INI
| MD5 | c10f0c1c213324eb2d479d8617a58197 |
| SHA1 | 5d830ffc7950e47de2a7f9efafca8425c37a382c |
| SHA256 | 06d38311dc59cf5a078491d01fe65e579b3c5d72764bf93e35ae24cd74a805be |
| SHA512 | 6b73dd20de1f288999bf2590f8cf095f5804ae2648ab85d136a919ffe0e0430180c91a46b2ad6192104ee8802d982f70bc0fcca87cd8189a5be3e04312d1a702 |