Analysis Overview
SHA256
d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449
Threat Level: Known bad
The file NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Suspicious use of NtCreateUserProcessOtherParentProcess
Glupteba payload
RedLine
Djvu Ransomware
Glupteba
Amadey
SmokeLoader
RedLine payload
Detected Djvu ransomware
Modifies boot configuration data using bcdedit
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Drops file in Drivers directory
Stops running service(s)
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Downloads MZ/PE file
UPX packed file
Loads dropped DLL
Checks BIOS information in registry
Themida packer
Checks computer location settings
Modifies file permissions
Deletes itself
Windows security modification
Executes dropped EXE
Manipulates WinMon driver.
Checks installed software on the system
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Manipulates WinMonFS driver.
Checks whether UAC is enabled
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Unsigned PE
Enumerates physical storage devices
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-18 18:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-18 18:51
Reported
2023-10-18 18:54
Platform
win7-20230831-en
Max time kernel
157s
Max time network
174s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\438C.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\FDC1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Program Files\Google\Chrome\updater.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Program Files\Google\Chrome\updater.exe | N/A |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Program Files\Google\Chrome\updater.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\FDC1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\FDC1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\438C.exe = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fba12cc6-7b07-4134-a04a-193d12eca044\\FA27.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\FA27.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\FDC1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Program Files\Google\Chrome\updater.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FDC1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\updater.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2740 set thread context of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\FA27.exe | C:\Users\Admin\AppData\Local\Temp\FA27.exe |
| PID 2548 set thread context of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\FDC.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1556 set thread context of 2184 | N/A | C:\Users\Admin\AppData\Local\Temp\FA27.exe | C:\Users\Admin\AppData\Local\Temp\FA27.exe |
| PID 2692 set thread context of 2880 | N/A | C:\Windows\explorer.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3032 set thread context of 2520 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\System32\conhost.exe |
| PID 3032 set thread context of 2456 | N/A | C:\Program Files\Google\Chrome\updater.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Google\Chrome\updater.exe | C:\Users\Admin\AppData\Local\Temp\mi.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20231018185235.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\15D6.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\15D6.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\15D6.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\438C.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\FA27.exe
C:\Users\Admin\AppData\Local\Temp\FA27.exe
C:\Users\Admin\AppData\Local\Temp\FA27.exe
C:\Users\Admin\AppData\Local\Temp\FA27.exe
C:\Users\Admin\AppData\Local\Temp\FDC1.exe
C:\Users\Admin\AppData\Local\Temp\FDC1.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E26.dll
C:\Users\Admin\AppData\Local\Temp\FDC.exe
C:\Users\Admin\AppData\Local\Temp\FDC.exe
C:\Users\Admin\AppData\Local\Temp\15D6.exe
C:\Users\Admin\AppData\Local\Temp\15D6.exe
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E26.dll
C:\Users\Admin\AppData\Local\Temp\2706.exe
C:\Users\Admin\AppData\Local\Temp\2706.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Users\Admin\AppData\Local\Temp\438C.exe
C:\Users\Admin\AppData\Local\Temp\438C.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\fba12cc6-7b07-4134-a04a-193d12eca044" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\FA27.exe
"C:\Users\Admin\AppData\Local\Temp\FA27.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\FA27.exe
"C:\Users\Admin\AppData\Local\Temp\FA27.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231018185235.log C:\Windows\Logs\CBS\CbsPersist_20231018185235.cab
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\438C.exe
"C:\Users\Admin\AppData\Local\Temp\438C.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {99314103-8766-4190-B0F6-34EE14FA7CFC} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\mi.exe
"C:\Users\Admin\AppData\Local\Temp\mi.exe"
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\kyabiylzsfjo.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 104.21.21.57:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 188.114.96.0:443 | api.2ip.ua | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | colisumy.com | udp |
| US | 8.8.8.8:53 | zexeq.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| IR | 2.180.10.7:80 | zexeq.com | tcp |
| IR | 2.180.10.7:80 | zexeq.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| BG | 171.22.28.236:38306 | tcp | |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| RU | 85.209.11.85:41140 | tcp | |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 88.221.25.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | d5d0ad97-276a-4949-8e48-f201019830b4.uuid.alldatadump.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | server4.alldatadump.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server4.alldatadump.org | tcp |
| IN | 172.253.121.127:19302 | stun1.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| BG | 185.82.216.108:443 | server4.alldatadump.org | tcp |
| US | 8.8.8.8:53 | stratum-eu.rplant.xyz | udp |
| FR | 141.94.192.217:17056 | stratum-eu.rplant.xyz | tcp |
Files
memory/2208-1-0x0000000000640000-0x0000000000740000-memory.dmp
memory/2208-2-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/2208-3-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1232-4-0x0000000002B70000-0x0000000002B86000-memory.dmp
memory/2208-5-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2740-21-0x0000000001FD0000-0x0000000002061000-memory.dmp
memory/2740-22-0x0000000001FD0000-0x0000000002061000-memory.dmp
memory/2740-23-0x0000000002090000-0x00000000021AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2848-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2848-28-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\FDC1.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
memory/2692-34-0x0000000000960000-0x000000000109E000-memory.dmp
memory/2692-46-0x0000000076A30000-0x0000000076B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FDC.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
memory/2692-44-0x0000000076A30000-0x0000000076B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FDC.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
memory/2692-47-0x0000000076DB0000-0x0000000076DF7000-memory.dmp
memory/2692-48-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-39-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-49-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-51-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-53-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-55-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-54-0x0000000076DB0000-0x0000000076DF7000-memory.dmp
memory/2848-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2692-50-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-56-0x0000000076A30000-0x0000000076B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E26.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/2692-58-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-59-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-60-0x0000000076A30000-0x0000000076B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\15D6.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Local\Temp\15D6.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/2692-68-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-69-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-70-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-71-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-62-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-72-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-73-0x0000000077380000-0x0000000077382000-memory.dmp
memory/2692-74-0x0000000076A30000-0x0000000076B40000-memory.dmp
\Users\Admin\AppData\Local\Temp\E26.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/2848-75-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3056-77-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/3056-78-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/3036-81-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/3036-82-0x0000000000220000-0x0000000000229000-memory.dmp
memory/3036-83-0x0000000000400000-0x00000000007CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2706.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\2706.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/1232-92-0x0000000002C70000-0x0000000002C86000-memory.dmp
memory/3036-94-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/2872-99-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2872-102-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2872-101-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2872-100-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2872-98-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2872-104-0x0000000000400000-0x000000000043E000-memory.dmp
\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2872-109-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/2692-113-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-111-0x0000000000960000-0x000000000109E000-memory.dmp
memory/2872-97-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2692-114-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-116-0x0000000076DB0000-0x0000000076DF7000-memory.dmp
memory/2692-115-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-120-0x0000000000960000-0x000000000109E000-memory.dmp
memory/2692-121-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-119-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-118-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-117-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-122-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-123-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-124-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-125-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-126-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-127-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-128-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/2692-129-0x0000000076A30000-0x0000000076B40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3056-131-0x00000000021F0000-0x0000000002316000-memory.dmp
memory/3056-132-0x0000000002320000-0x0000000002429000-memory.dmp
memory/3056-133-0x0000000002320000-0x0000000002429000-memory.dmp
memory/3056-135-0x0000000002320000-0x0000000002429000-memory.dmp
memory/3056-136-0x0000000002320000-0x0000000002429000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\438C.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\Local\Temp\438C.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
memory/1308-157-0x0000000000310000-0x000000000037B000-memory.dmp
memory/2848-175-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2872-176-0x0000000000FE0000-0x0000000001020000-memory.dmp
memory/1308-173-0x0000000000310000-0x000000000037B000-memory.dmp
memory/2692-172-0x00000000742E0000-0x00000000749CE000-memory.dmp
memory/2692-177-0x0000000005560000-0x00000000055A0000-memory.dmp
memory/2168-178-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2692-180-0x0000000076A30000-0x0000000076B40000-memory.dmp
memory/1384-179-0x0000000002610000-0x0000000002A08000-memory.dmp
memory/2168-181-0x0000000000060000-0x000000000006C000-memory.dmp
memory/2872-182-0x00000000742E0000-0x00000000749CE000-memory.dmp
C:\Users\Admin\AppData\Local\fba12cc6-7b07-4134-a04a-193d12eca044\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1384-185-0x0000000002A10000-0x00000000032FB000-memory.dmp
memory/1384-186-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1384-187-0x0000000002610000-0x0000000002A08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\438C.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1556-199-0x0000000000260000-0x00000000002F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/2848-196-0x0000000000400000-0x0000000000537000-memory.dmp
\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1556-212-0x0000000000260000-0x00000000002F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FA27.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1384-299-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 4402a0fc0ec273e2c3bd6a1188700b05 |
| SHA1 | 2c8ff24692967b5ae6a2b827113336b51bfe59d6 |
| SHA256 | 18b75f28d4760e6da2dd7a54f388dfa8576e124acee9fa1127b0ad7be52c51b9 |
| SHA512 | fc105e88cc8c5a785914a2eb6920e4b648db2332e1984e3f61f396562229e89f6a6200859868419664cc5436750a0014934102e618088ccf7c270c13d60b9abf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 1aea6ba6a3f65b044b2b28bf62b32679 |
| SHA1 | 6a2c87055b2622babdb4ce8d9a296e4c5f14dc28 |
| SHA256 | 3e5ce76e71df8cbacce394a4f290adf7f95f4a5c2c4b74dd4af381c2d6b4e880 |
| SHA512 | 1ed8011d03a085237dd1598e187c905242c359dbe01e0d9963623e58f9be01764a2e7abfb80b1b6ab1836354c6cd2d3e964a2ea670380c890c1f53f6adf6a0b9 |
memory/2692-304-0x0000000000290000-0x00000000002AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab8611.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1bfdb7fd3f1f79ff84d38766127ae4b8 |
| SHA1 | 946e6526efba6e0a12e6c78db2fdd7f9b122582f |
| SHA256 | 4193c867febac1e4f7726dd19b30d9829834b004765a6f177da28b578e44e5ec |
| SHA512 | 3cc641a4857a65bc96b6f091d40e7f85e4ffc16f79263c3072cd8cdf69b303a32ce39bea01b48c2bc94d099f77069b7246fc7e3e33c3e56e4a49ddab0cfaf8c7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 66d7b636c87aefcefec80344d10effbd |
| SHA1 | d21bcf288158d741be35e2046bbcaf177450497f |
| SHA256 | fbf37b3f395f4b170cb78791ce0e2b1bbb05fa4f4b36173b1baa5ef0429f6b89 |
| SHA512 | 66a4275e669fa16f115dac29997592b4c57997b88e78620f9a1c0e1bfb32121059c1b10b9668854386fd53bdfdd08fce5094805eadb11e7322e9dfeedf6a0aab |
memory/2184-319-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2184-318-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2692-320-0x0000000000290000-0x00000000002A5000-memory.dmp
memory/2692-323-0x0000000000290000-0x00000000002A5000-memory.dmp
memory/2692-333-0x0000000000290000-0x00000000002A5000-memory.dmp
memory/2692-331-0x0000000000290000-0x00000000002A5000-memory.dmp
memory/2692-329-0x0000000000290000-0x00000000002A5000-memory.dmp
memory/2692-327-0x0000000000290000-0x00000000002A5000-memory.dmp
memory/2692-325-0x0000000000290000-0x00000000002A5000-memory.dmp
memory/2692-321-0x0000000000290000-0x00000000002A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\438C.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\Local\Temp\TarBEA6.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d24ada61e7d3c2aaefd3cc2348f30c88 |
| SHA1 | 639df744b70dd543c05e5c2a93806b347e82ff28 |
| SHA256 | 10f83e813ef67059050f78f161240a342c84ada52560ce3b0ced7cc912b60436 |
| SHA512 | 219cb7a07f784e15e3c6ae0631cde16d1e9eafb2c299691a5a140da755e4c8afa052bdd2066bdff81d20dac8e18352620e89d332431203aa60dbfc4187029a6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 1b3d0f6bc3c2c17f065d216bbf5b58b2 |
| SHA1 | df4c93c4ca04c7f0f233ecb1e1817482465da89e |
| SHA256 | b54ebec9c4338158141364a7bae638f3f9043f73c8dfd9401c5c7bad3901f9e8 |
| SHA512 | c14fb0188d99266aa47313c04963c34dc1b91bd700adc4efd02e81d2cce3bba0d4fdc72207003d4f0b8f1f9b6dbc896a4d27e44550c74fa5c6ae61cbf831e0d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8884667c3759dc5cca8a7eaf9474d72a |
| SHA1 | 8218101ef1d5895891787c5a6c92d51f828f3436 |
| SHA256 | eef17a3d4da9d126470d685ef6d93f09b2458867f7db9efbe61b0c9ec3eb422a |
| SHA512 | 7a8b00f7f5a7e8fadb6a839e71b272b488f9c09738b63634b0cc4c587983f2b215bb7a71cbf6218610306a61cc7d96b3d73f902f2b8ade1a87c031786a623fd6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 1b3d0f6bc3c2c17f065d216bbf5b58b2 |
| SHA1 | df4c93c4ca04c7f0f233ecb1e1817482465da89e |
| SHA256 | b54ebec9c4338158141364a7bae638f3f9043f73c8dfd9401c5c7bad3901f9e8 |
| SHA512 | c14fb0188d99266aa47313c04963c34dc1b91bd700adc4efd02e81d2cce3bba0d4fdc72207003d4f0b8f1f9b6dbc896a4d27e44550c74fa5c6ae61cbf831e0d2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d40d5326732c4eb43131a12d1179611a |
| SHA1 | 66a05dd47dc930b872186c8493be53325daabff8 |
| SHA256 | a87d22033104b159d211c812cf25e21022f86be4c1893b8e1905b6fb7a7f295a |
| SHA512 | 373a6453aabd869bb544623f44938f7baf2eb27421f3d37c216bc0a874b7a889689787f48f42f8992d2f4365ffddb57eb00783d515ec82bd213b48863f8edc99 |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
| MD5 | d98e78fd57db58a11f880b45bb659767 |
| SHA1 | ab70c0d3bd9103c07632eeecee9f51d198ed0e76 |
| SHA256 | 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0 |
| SHA512 | aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831 |
C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Users\Admin\AppData\Local\Temp\mi.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
\Program Files\Google\Chrome\updater.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\System32\drivers\etc\hosts
| MD5 | 2b19df2da3af86adf584efbddd0d31c0 |
| SHA1 | f1738910789e169213611c033d83bc9577373686 |
| SHA256 | 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd |
| SHA512 | 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6 |
C:\Windows\TEMP\kyabiylzsfjo.xml
| MD5 | 546d67a48ff2bf7682cea9fac07b942e |
| SHA1 | a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90 |
| SHA256 | eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a |
| SHA512 | 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 38b644718080f19e7d636b8d3709c88a |
| SHA1 | f6a4e61b4b3cef215cb550329d9ff9d8f21742e3 |
| SHA256 | 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328 |
| SHA512 | 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-18 18:51
Reported
2023-10-18 18:53
Platform
win10v2004-20230915-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Amadey
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\E3AA.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\E3AA.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\E3AA.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DD7F.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\FAC0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c0315b24-6ff8-47c6-9886-3613e17a8075\\DD7F.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\DD7F.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\E3AA.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E3AA.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4248 set thread context of 1332 | N/A | C:\Users\Admin\AppData\Local\Temp\DD7F.exe | C:\Users\Admin\AppData\Local\Temp\DD7F.exe |
| PID 4872 set thread context of 4212 | N/A | C:\Users\Admin\AppData\Local\Temp\DD7F.exe | C:\Users\Admin\AppData\Local\Temp\DD7F.exe |
| PID 3052 set thread context of 3528 | N/A | C:\Users\Admin\AppData\Local\Temp\E3AA.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3768 set thread context of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\EEF7.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\DD7F.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\FFB3.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F198.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F198.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\F198.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F198.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\E3AA.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\EF6.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\explorer.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe"
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
C:\Users\Admin\AppData\Local\Temp\E3AA.exe
C:\Users\Admin\AppData\Local\Temp\E3AA.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EC08.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\EC08.dll
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
C:\Users\Admin\AppData\Local\Temp\F198.exe
C:\Users\Admin\AppData\Local\Temp\F198.exe
C:\Users\Admin\AppData\Local\Temp\FAC0.exe
C:\Users\Admin\AppData\Local\Temp\FAC0.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c0315b24-6ff8-47c6-9886-3613e17a8075" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
"C:\Users\Admin\AppData\Local\Temp\DD7F.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"
C:\Users\Admin\AppData\Local\Temp\FFB3.exe
C:\Users\Admin\AppData\Local\Temp\FFB3.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
"C:\Users\Admin\AppData\Local\Temp\DD7F.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2116 -ip 2116
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:N"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4212 -ip 4212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 340
C:\Users\Admin\AppData\Local\Temp\EF6.exe
C:\Users\Admin\AppData\Local\Temp\EF6.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "yiueea.exe" /P "Admin:R" /E
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\577f58beff" /P "Admin:R" /E
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\EF6.exe
"C:\Users\Admin\AppData\Local\Temp\EF6.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | onualituyrs.org | udp |
| US | 8.8.8.8:53 | sumagulituyo.org | udp |
| US | 34.94.245.237:80 | sumagulituyo.org | tcp |
| US | 8.8.8.8:53 | snukerukeutit.org | udp |
| US | 104.198.2.251:80 | snukerukeutit.org | tcp |
| US | 8.8.8.8:53 | 237.245.94.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lightseinsteniki.org | udp |
| SG | 34.143.166.163:80 | lightseinsteniki.org | tcp |
| US | 8.8.8.8:53 | 251.2.198.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liuliuoumumy.org | udp |
| US | 8.8.8.8:53 | 163.166.143.34.in-addr.arpa | udp |
| SG | 34.143.166.163:80 | liuliuoumumy.org | tcp |
| US | 8.8.8.8:53 | stualialuyastrelia.net | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| US | 8.8.8.8:53 | 17.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.0:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | alayyadcare.com | udp |
| PS | 213.6.54.58:443 | alayyadcare.com | tcp |
| US | 8.8.8.8:53 | 18.192.137.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.54.6.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | montereyclub.org | udp |
| US | 172.67.196.133:443 | montereyclub.org | tcp |
| US | 8.8.8.8:53 | loveperry.org | udp |
| US | 104.21.86.8:443 | loveperry.org | tcp |
| US | 8.8.8.8:53 | 133.196.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.20.238.8.in-addr.arpa | udp |
| RU | 79.137.192.18:80 | 79.137.192.18 | tcp |
| US | 8.8.8.8:53 | 8.86.21.104.in-addr.arpa | udp |
| RU | 91.215.85.17:80 | stualialuyastrelia.net | tcp |
| RU | 85.209.11.85:41140 | tcp | |
| US | 8.8.8.8:53 | 85.11.209.85.in-addr.arpa | udp |
| BG | 171.22.28.236:38306 | tcp | |
| US | 8.8.8.8:53 | 236.28.22.171.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stalagmijesarl.com | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 31.26.214.95.in-addr.arpa | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 95.214.26.31:80 | stalagmijesarl.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b67b603c-9596-478c-b705-b69c054b91ab.uuid.alldatadump.org | udp |
| US | 8.8.8.8:53 | server7.alldatadump.org | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.108:443 | server7.alldatadump.org | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| SG | 74.125.24.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.24.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server7.alldatadump.org | tcp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
Files
memory/2652-1-0x00000000008E0000-0x00000000009E0000-memory.dmp
memory/2652-2-0x0000000000400000-0x00000000005AF000-memory.dmp
memory/2652-3-0x0000000000850000-0x000000000085B000-memory.dmp
memory/3156-4-0x0000000002BB0000-0x0000000002BC6000-memory.dmp
memory/2652-5-0x0000000000400000-0x00000000005AF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\E3AA.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
C:\Users\Admin\AppData\Local\Temp\E3AA.exe
| MD5 | 73c0d14591b9438fd544c80ccee4fef1 |
| SHA1 | 8eb8e501098dd00627bd7a63e0f01feb861eeac6 |
| SHA256 | ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219 |
| SHA512 | d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f |
memory/3052-22-0x0000000000240000-0x000000000097E000-memory.dmp
memory/3052-23-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-24-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-25-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-26-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-27-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-28-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-29-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-30-0x0000000077B34000-0x0000000077B36000-memory.dmp
memory/3052-34-0x0000000000240000-0x000000000097E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC08.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/3052-36-0x0000000005890000-0x0000000005E34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EC08.dll
| MD5 | b22087ac0a2a7243e85d54a92654b666 |
| SHA1 | 8e131975d080cf7ab254f8c9f52ec456ce6d03ad |
| SHA256 | 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4 |
| SHA512 | 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1 |
memory/1332-42-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4648-44-0x00000000008F0000-0x00000000008F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
memory/1332-52-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3052-49-0x0000000005520000-0x00000000055BC000-memory.dmp
memory/1332-48-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/4648-43-0x0000000010000000-0x00000000101D2000-memory.dmp
memory/4248-41-0x0000000002550000-0x000000000266B000-memory.dmp
memory/3052-40-0x00000000052E0000-0x0000000005372000-memory.dmp
memory/4248-39-0x00000000009F0000-0x0000000000A87000-memory.dmp
memory/1332-53-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3052-59-0x0000000005490000-0x000000000549A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EEF7.exe
| MD5 | 276f4535df7de6a669a52a4e715f678c |
| SHA1 | 4ca1872fd68cf09060c344ecae344e5337d0f0fd |
| SHA256 | e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f |
| SHA512 | 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89 |
C:\Users\Admin\AppData\Local\Temp\F198.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
C:\Users\Admin\AppData\Local\Temp\F198.exe
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/2536-65-0x0000000000B70000-0x0000000000C70000-memory.dmp
memory/2536-66-0x0000000000920000-0x0000000000929000-memory.dmp
memory/2536-67-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/3052-68-0x0000000000240000-0x000000000097E000-memory.dmp
memory/3052-69-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-72-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-73-0x0000000076C20000-0x0000000076D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FAC0.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\FAC0.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\c0315b24-6ff8-47c6-9886-3613e17a8075\DD7F.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
memory/3052-91-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3052-90-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/4648-92-0x0000000000900000-0x0000000000A26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFB3.exe
| MD5 | 1ce0912c72e8d0bfa728e6a229b04330 |
| SHA1 | 071804aecef07ef6e2a43cacc9dbacf64a8a2232 |
| SHA256 | b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273 |
| SHA512 | 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e |
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/1332-96-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FFB3.exe
| MD5 | 1ce0912c72e8d0bfa728e6a229b04330 |
| SHA1 | 071804aecef07ef6e2a43cacc9dbacf64a8a2232 |
| SHA256 | b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273 |
| SHA512 | 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e |
memory/3052-100-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/4648-101-0x0000000002390000-0x0000000002499000-memory.dmp
memory/4648-102-0x0000000002390000-0x0000000002499000-memory.dmp
memory/4648-104-0x0000000002390000-0x0000000002499000-memory.dmp
memory/4648-105-0x0000000002390000-0x0000000002499000-memory.dmp
memory/3052-106-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/4872-108-0x0000000002510000-0x00000000025A2000-memory.dmp
memory/2116-111-0x0000000000AA0000-0x0000000000BA0000-memory.dmp
memory/4212-114-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2116-113-0x0000000000920000-0x000000000092B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DD7F.exe
| MD5 | 22a70a0b71715402d1a4c2b912fa901f |
| SHA1 | d5373bfe847966630647e1b416c00c2075c8d41d |
| SHA256 | 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5 |
| SHA512 | ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc |
memory/4212-115-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4212-118-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2116-116-0x0000000000400000-0x00000000007CF000-memory.dmp
memory/3156-119-0x0000000002B90000-0x0000000002BA6000-memory.dmp
memory/2536-121-0x0000000000400000-0x00000000007CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EF6.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\Local\Temp\EF6.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
memory/1232-129-0x0000000000B20000-0x0000000000B8B000-memory.dmp
memory/1232-130-0x0000000000E00000-0x0000000000E75000-memory.dmp
memory/1232-131-0x0000000000B20000-0x0000000000B8B000-memory.dmp
memory/5012-135-0x00000000003A0000-0x00000000003A7000-memory.dmp
memory/5012-134-0x0000000000390000-0x000000000039C000-memory.dmp
memory/5012-140-0x0000000000390000-0x000000000039C000-memory.dmp
memory/1056-160-0x0000000002A80000-0x0000000002E85000-memory.dmp
memory/1056-161-0x0000000002E90000-0x000000000377B000-memory.dmp
memory/1056-162-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/1232-163-0x0000000000B20000-0x0000000000B8B000-memory.dmp
memory/3052-164-0x0000000005500000-0x000000000551C000-memory.dmp
memory/3052-165-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-166-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-168-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-170-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-172-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-174-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-176-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-178-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-180-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-182-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-184-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-186-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3052-188-0x0000000005500000-0x0000000005515000-memory.dmp
memory/3528-189-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3528-191-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/3052-193-0x00000000057A0000-0x00000000057B0000-memory.dmp
memory/3052-194-0x0000000000240000-0x000000000097E000-memory.dmp
memory/3528-196-0x0000000008B80000-0x0000000009198000-memory.dmp
memory/3052-195-0x0000000076C20000-0x0000000076D10000-memory.dmp
memory/3528-197-0x0000000007D60000-0x0000000007D72000-memory.dmp
memory/3528-198-0x0000000007E90000-0x0000000007F9A000-memory.dmp
memory/3528-199-0x0000000007DC0000-0x0000000007DFC000-memory.dmp
memory/3528-200-0x0000000007E20000-0x0000000007E6C000-memory.dmp
memory/3528-201-0x0000000008690000-0x00000000086F6000-memory.dmp
memory/1056-202-0x0000000002A80000-0x0000000002E85000-memory.dmp
memory/3528-203-0x0000000009480000-0x00000000094F6000-memory.dmp
memory/3528-204-0x00000000096D0000-0x0000000009892000-memory.dmp
memory/3528-205-0x0000000009DD0000-0x000000000A2FC000-memory.dmp
memory/1056-206-0x0000000002E90000-0x000000000377B000-memory.dmp
memory/3528-207-0x0000000009600000-0x000000000961E000-memory.dmp
memory/2556-208-0x0000000004B00000-0x0000000004B36000-memory.dmp
memory/1056-209-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/2556-210-0x0000000075020000-0x00000000757D0000-memory.dmp
memory/1056-211-0x0000000000400000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_reya4jpn.odi.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1880-230-0x0000000000400000-0x000000000043E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EF6.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Users\Admin\AppData\Roaming\sdvfagh
| MD5 | 5d2f4dced61a5ca942ddd8df3e2646d9 |
| SHA1 | 87a53a110db93a85c2088424ff4d3feeb24ab82f |
| SHA256 | 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618 |
| SHA512 | 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6 |
memory/1056-274-0x0000000000400000-0x0000000000D1B000-memory.dmp
memory/400-305-0x0000000000F70000-0x0000000000F7B000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
| MD5 | c671d50d589ce7be9ad3ff4035e6ad63 |
| SHA1 | 88cdc154077c8264149cb8b19e16ba07901e1dd6 |
| SHA256 | fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568 |
| SHA512 | a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9 |
memory/3100-311-0x0000000000D20000-0x0000000000D2F000-memory.dmp
memory/748-316-0x0000000000830000-0x0000000000839000-memory.dmp
memory/4424-321-0x0000000000E20000-0x0000000000E2C000-memory.dmp
memory/888-326-0x0000000000560000-0x0000000000587000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | eb579cb480fe558d25008756749835d7 |
| SHA1 | f964b11c00c7979fd3101177c65184767d3f653b |
| SHA256 | 4a03a6cb6719a9946dfee620d7ae888d3b175d0140dc2d1e92c9996191ab3672 |
| SHA512 | e26962bd25880a26017527e07a9fe2dd9f12e211ff49dfdeefe718a3dfe8dbc16020774df77a658cc1b32993beb5b1b5f99eaa684af500c0c2a672073e18fec2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1afacc4a6e46baa560ceeceae5ff2c9c |
| SHA1 | 501fd0497b0b2d776cc77451f448be4382f302be |
| SHA256 | ff42b60f3b2474ad3f7a0500a0bd8898de6930933345f588c92d3249917e1637 |
| SHA512 | f8f146b091636ed58459e975cd19c6163b825aaeaa775a42158333f89f6743a2a3461cf8efe539e95a4c08bea42f60fcc86b12df755cc23c7098b84a3d6b5b3c |
C:\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Windows\rss\csrss.exe
| MD5 | 6c9efad2ba2589915879665a1a25a9ac |
| SHA1 | 8e94c81e51ad12f20c77da95883a4116a2c7a5c9 |
| SHA256 | 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433 |
| SHA512 | 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 97cab70d464e9fb5b5951b8651b30cb1 |
| SHA1 | 41bf566f3f8d1b5569932a76216dbe914622e186 |
| SHA256 | cd901819be46cb170d5ad69be561b76bcc7591830f61f5b671dae81469187c84 |
| SHA512 | d17e4da5b111250d67e27da16a8339a47cb338eac62993588750275af6cc9c06c7c13836fd748d51d58b239ff7d9db55bb03fb045a6c4ff0e002d1ac679e55fd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 4949e8fb88fa0c88c3728564be15a006 |
| SHA1 | 916d4589816e8742007328e3b231dda580c5fedc |
| SHA256 | 8725ec19f5974185858ddb3083ab0506518eee56f609a92172dd7020b32fc28e |
| SHA512 | 193ae81ea4d0645251cd17d429849d7c907e12e695a6c28e0e7022e1f391f1489ceaf89a3c23180ff0a0a4965f77fdfb13cf61a24b85d89281b895fd9f0e12e1 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 350dd252d926a7b43c7e3cb1ddaf4dc6 |
| SHA1 | e7ee600d97cd5d5f2fcfbf130ac7aa844ccf716e |
| SHA256 | 2638bb4a0b2ae14872a9c7cca5b9d8ac17ff859d935997445911a4ee1b67c7aa |
| SHA512 | b33c28d7af2176aeb7caf7000c25199dc2b6d3a1a65c7f5519a9f47e2281abc8a4aa843cf9021e3079a7ad4bbd6ecf001b73f7d9cfc535e111bd5f51959b8e53 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
| MD5 | 55f845c433e637594aaf872e41fda207 |
| SHA1 | 1188348ca7e52f075e7d1d0031918c2cea93362e |
| SHA256 | f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39 |
| SHA512 | 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4 |