Malware Analysis Report

2025-01-18 05:07

Sample ID 231018-xhgewshg9w
Target NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe
SHA256 d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449
Tags
amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) summ backdoor collection discovery dropper evasion infostealer loader persistence ransomware rootkit spyware themida trojan upx pub1
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449

Threat Level: Known bad

The file NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline smokeloader logsdiller cloud (tg: @logsdillabot) summ backdoor collection discovery dropper evasion infostealer loader persistence ransomware rootkit spyware themida trojan upx pub1

Windows security bypass

Suspicious use of NtCreateUserProcessOtherParentProcess

Glupteba payload

RedLine

Djvu Ransomware

Glupteba

Amadey

SmokeLoader

RedLine payload

Detected Djvu ransomware

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Drops file in Drivers directory

Stops running service(s)

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Downloads MZ/PE file

UPX packed file

Loads dropped DLL

Checks BIOS information in registry

Themida packer

Checks computer location settings

Modifies file permissions

Deletes itself

Windows security modification

Executes dropped EXE

Manipulates WinMon driver.

Checks installed software on the system

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Manipulates WinMonFS driver.

Checks whether UAC is enabled

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-18 18:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-18 18:51

Reported

2023-10-18 18:54

Platform

win7-20230831-en

Max time kernel

157s

Max time network

174s

Command Line

C:\Windows\Explorer.EXE

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\438C.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\FDC1.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Program Files\Google\Chrome\updater.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
File created C:\Windows\System32\drivers\etc\hosts C:\Program Files\Google\Chrome\updater.exe N/A
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Program Files\Google\Chrome\updater.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\FDC1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\FDC1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\438C.exe = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\fba12cc6-7b07-4134-a04a-193d12eca044\\FA27.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\FA27.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\FDC1.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Google\Chrome\updater.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FDC1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mi.exe N/A
N/A N/A C:\Program Files\Google\Chrome\updater.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\438C.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Google\Chrome\updater.exe C:\Users\Admin\AppData\Local\Temp\mi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20231018185235.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\15D6.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\15D6.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\15D6.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\System32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\438C.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\438C.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2740 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 1232 wrote to memory of 2740 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 1232 wrote to memory of 2740 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 1232 wrote to memory of 2740 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 2740 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\FA27.exe C:\Users\Admin\AppData\Local\Temp\FA27.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC1.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC1.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC1.exe
PID 1232 wrote to memory of 2692 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC1.exe
PID 1232 wrote to memory of 2516 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 2516 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 2516 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 2516 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 2516 N/A C:\Windows\Explorer.EXE C:\Windows\system32\regsvr32.exe
PID 1232 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC.exe
PID 1232 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC.exe
PID 1232 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC.exe
PID 1232 wrote to memory of 2548 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\FDC.exe
PID 1232 wrote to memory of 3036 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\15D6.exe
PID 1232 wrote to memory of 3036 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\15D6.exe
PID 1232 wrote to memory of 3036 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\15D6.exe
PID 1232 wrote to memory of 3036 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\15D6.exe
PID 2516 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2516 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2516 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2516 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2516 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2516 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2516 wrote to memory of 3056 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1232 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2706.exe
PID 1232 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2706.exe
PID 1232 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2706.exe
PID 1232 wrote to memory of 796 N/A C:\Windows\Explorer.EXE C:\Users\Admin\AppData\Local\Temp\2706.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2548 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\FDC.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 796 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2706.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 796 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2706.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 796 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2706.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 796 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\2706.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 1608 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1608 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1608 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1608 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1608 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\FA27.exe

C:\Users\Admin\AppData\Local\Temp\FA27.exe

C:\Users\Admin\AppData\Local\Temp\FA27.exe

C:\Users\Admin\AppData\Local\Temp\FA27.exe

C:\Users\Admin\AppData\Local\Temp\FDC1.exe

C:\Users\Admin\AppData\Local\Temp\FDC1.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E26.dll

C:\Users\Admin\AppData\Local\Temp\FDC.exe

C:\Users\Admin\AppData\Local\Temp\FDC.exe

C:\Users\Admin\AppData\Local\Temp\15D6.exe

C:\Users\Admin\AppData\Local\Temp\15D6.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E26.dll

C:\Users\Admin\AppData\Local\Temp\2706.exe

C:\Users\Admin\AppData\Local\Temp\2706.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\438C.exe

C:\Users\Admin\AppData\Local\Temp\438C.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\fba12cc6-7b07-4134-a04a-193d12eca044" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\FA27.exe

"C:\Users\Admin\AppData\Local\Temp\FA27.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\FA27.exe

"C:\Users\Admin\AppData\Local\Temp\FA27.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231018185235.log C:\Windows\Logs\CBS\CbsPersist_20231018185235.cab

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\438C.exe

"C:\Users\Admin\AppData\Local\Temp\438C.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {99314103-8766-4190-B0F6-34EE14FA7CFC} S-1-5-21-686452656-3203474025-4140627569-1000:UUVOHKNL\Admin:Interactive:[1]

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\mi.exe

"C:\Users\Admin\AppData\Local\Temp\mi.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"

C:\Program Files\Google\Chrome\updater.exe

"C:\Program Files\Google\Chrome\updater.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\schtasks.exe

C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\kyabiylzsfjo.xml"

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\conhost.exe

C:\Windows\System32\conhost.exe

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\explorer.exe

C:\Windows\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 liuliuoumumy.org udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.0:443 api.2ip.ua tcp
US 8.8.8.8:53 montereyclub.org udp
US 104.21.21.57:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
RU 79.137.192.18:80 79.137.192.18 tcp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 stalagmijesarl.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 188.114.96.0:443 api.2ip.ua tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 colisumy.com udp
US 8.8.8.8:53 zexeq.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
IR 2.180.10.7:80 zexeq.com tcp
IR 2.180.10.7:80 zexeq.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
BG 171.22.28.236:38306 tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
RU 85.209.11.85:41140 tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 88.221.25.153:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 d5d0ad97-276a-4949-8e48-f201019830b4.uuid.alldatadump.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
US 8.8.8.8:53 stun1.l.google.com udp
US 8.8.8.8:53 server4.alldatadump.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server4.alldatadump.org tcp
IN 172.253.121.127:19302 stun1.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
BG 185.82.216.108:443 server4.alldatadump.org tcp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp

Files

memory/2208-1-0x0000000000640000-0x0000000000740000-memory.dmp

memory/2208-2-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2208-3-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1232-4-0x0000000002B70000-0x0000000002B86000-memory.dmp

memory/2208-5-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2740-21-0x0000000001FD0000-0x0000000002061000-memory.dmp

memory/2740-22-0x0000000001FD0000-0x0000000002061000-memory.dmp

memory/2740-23-0x0000000002090000-0x00000000021AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2848-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2848-28-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\FDC1.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/2692-34-0x0000000000960000-0x000000000109E000-memory.dmp

memory/2692-46-0x0000000076A30000-0x0000000076B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FDC.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/2692-44-0x0000000076A30000-0x0000000076B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FDC.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/2692-47-0x0000000076DB0000-0x0000000076DF7000-memory.dmp

memory/2692-48-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-39-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-49-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-51-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-53-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-55-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-54-0x0000000076DB0000-0x0000000076DF7000-memory.dmp

memory/2848-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-50-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-56-0x0000000076A30000-0x0000000076B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E26.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/2692-58-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-59-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-60-0x0000000076A30000-0x0000000076B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\15D6.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\15D6.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/2692-68-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-69-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-70-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-71-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-62-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-72-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-73-0x0000000077380000-0x0000000077382000-memory.dmp

memory/2692-74-0x0000000076A30000-0x0000000076B40000-memory.dmp

\Users\Admin\AppData\Local\Temp\E26.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/2848-75-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3056-77-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/3056-78-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/3036-81-0x00000000008D0000-0x00000000009D0000-memory.dmp

memory/3036-82-0x0000000000220000-0x0000000000229000-memory.dmp

memory/3036-83-0x0000000000400000-0x00000000007CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2706.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\2706.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/1232-92-0x0000000002C70000-0x0000000002C86000-memory.dmp

memory/3036-94-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/2872-99-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2872-102-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2872-101-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2872-100-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2872-98-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2872-104-0x0000000000400000-0x000000000043E000-memory.dmp

\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2872-109-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/2692-113-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-111-0x0000000000960000-0x000000000109E000-memory.dmp

memory/2872-97-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2692-114-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-116-0x0000000076DB0000-0x0000000076DF7000-memory.dmp

memory/2692-115-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-120-0x0000000000960000-0x000000000109E000-memory.dmp

memory/2692-121-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-119-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-118-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-117-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-122-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-123-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-124-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-125-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-126-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-127-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-128-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/2692-129-0x0000000076A30000-0x0000000076B40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3056-131-0x00000000021F0000-0x0000000002316000-memory.dmp

memory/3056-132-0x0000000002320000-0x0000000002429000-memory.dmp

memory/3056-133-0x0000000002320000-0x0000000002429000-memory.dmp

memory/3056-135-0x0000000002320000-0x0000000002429000-memory.dmp

memory/3056-136-0x0000000002320000-0x0000000002429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\438C.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\438C.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

memory/1308-157-0x0000000000310000-0x000000000037B000-memory.dmp

memory/2848-175-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2872-176-0x0000000000FE0000-0x0000000001020000-memory.dmp

memory/1308-173-0x0000000000310000-0x000000000037B000-memory.dmp

memory/2692-172-0x00000000742E0000-0x00000000749CE000-memory.dmp

memory/2692-177-0x0000000005560000-0x00000000055A0000-memory.dmp

memory/2168-178-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2692-180-0x0000000076A30000-0x0000000076B40000-memory.dmp

memory/1384-179-0x0000000002610000-0x0000000002A08000-memory.dmp

memory/2168-181-0x0000000000060000-0x000000000006C000-memory.dmp

memory/2872-182-0x00000000742E0000-0x00000000749CE000-memory.dmp

C:\Users\Admin\AppData\Local\fba12cc6-7b07-4134-a04a-193d12eca044\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1384-185-0x0000000002A10000-0x00000000032FB000-memory.dmp

memory/1384-186-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1384-187-0x0000000002610000-0x0000000002A08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\438C.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1556-199-0x0000000000260000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/2848-196-0x0000000000400000-0x0000000000537000-memory.dmp

\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1556-212-0x0000000000260000-0x00000000002F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FA27.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1384-299-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 4402a0fc0ec273e2c3bd6a1188700b05
SHA1 2c8ff24692967b5ae6a2b827113336b51bfe59d6
SHA256 18b75f28d4760e6da2dd7a54f388dfa8576e124acee9fa1127b0ad7be52c51b9
SHA512 fc105e88cc8c5a785914a2eb6920e4b648db2332e1984e3f61f396562229e89f6a6200859868419664cc5436750a0014934102e618088ccf7c270c13d60b9abf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 1aea6ba6a3f65b044b2b28bf62b32679
SHA1 6a2c87055b2622babdb4ce8d9a296e4c5f14dc28
SHA256 3e5ce76e71df8cbacce394a4f290adf7f95f4a5c2c4b74dd4af381c2d6b4e880
SHA512 1ed8011d03a085237dd1598e187c905242c359dbe01e0d9963623e58f9be01764a2e7abfb80b1b6ab1836354c6cd2d3e964a2ea670380c890c1f53f6adf6a0b9

memory/2692-304-0x0000000000290000-0x00000000002AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8611.tmp

MD5 f3441b8572aae8801c04f3060b550443
SHA1 4ef0a35436125d6821831ef36c28ffaf196cda15
SHA256 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA512 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bfdb7fd3f1f79ff84d38766127ae4b8
SHA1 946e6526efba6e0a12e6c78db2fdd7f9b122582f
SHA256 4193c867febac1e4f7726dd19b30d9829834b004765a6f177da28b578e44e5ec
SHA512 3cc641a4857a65bc96b6f091d40e7f85e4ffc16f79263c3072cd8cdf69b303a32ce39bea01b48c2bc94d099f77069b7246fc7e3e33c3e56e4a49ddab0cfaf8c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 66d7b636c87aefcefec80344d10effbd
SHA1 d21bcf288158d741be35e2046bbcaf177450497f
SHA256 fbf37b3f395f4b170cb78791ce0e2b1bbb05fa4f4b36173b1baa5ef0429f6b89
SHA512 66a4275e669fa16f115dac29997592b4c57997b88e78620f9a1c0e1bfb32121059c1b10b9668854386fd53bdfdd08fce5094805eadb11e7322e9dfeedf6a0aab

memory/2184-319-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2184-318-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2692-320-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2692-323-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2692-333-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2692-331-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2692-329-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2692-327-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2692-325-0x0000000000290000-0x00000000002A5000-memory.dmp

memory/2692-321-0x0000000000290000-0x00000000002A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\438C.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\TarBEA6.tmp

MD5 9441737383d21192400eca82fda910ec
SHA1 725e0d606a4fc9ba44aa8ffde65bed15e65367e4
SHA256 bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5
SHA512 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d24ada61e7d3c2aaefd3cc2348f30c88
SHA1 639df744b70dd543c05e5c2a93806b347e82ff28
SHA256 10f83e813ef67059050f78f161240a342c84ada52560ce3b0ced7cc912b60436
SHA512 219cb7a07f784e15e3c6ae0631cde16d1e9eafb2c299691a5a140da755e4c8afa052bdd2066bdff81d20dac8e18352620e89d332431203aa60dbfc4187029a6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1b3d0f6bc3c2c17f065d216bbf5b58b2
SHA1 df4c93c4ca04c7f0f233ecb1e1817482465da89e
SHA256 b54ebec9c4338158141364a7bae638f3f9043f73c8dfd9401c5c7bad3901f9e8
SHA512 c14fb0188d99266aa47313c04963c34dc1b91bd700adc4efd02e81d2cce3bba0d4fdc72207003d4f0b8f1f9b6dbc896a4d27e44550c74fa5c6ae61cbf831e0d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8884667c3759dc5cca8a7eaf9474d72a
SHA1 8218101ef1d5895891787c5a6c92d51f828f3436
SHA256 eef17a3d4da9d126470d685ef6d93f09b2458867f7db9efbe61b0c9ec3eb422a
SHA512 7a8b00f7f5a7e8fadb6a839e71b272b488f9c09738b63634b0cc4c587983f2b215bb7a71cbf6218610306a61cc7d96b3d73f902f2b8ade1a87c031786a623fd6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 1b3d0f6bc3c2c17f065d216bbf5b58b2
SHA1 df4c93c4ca04c7f0f233ecb1e1817482465da89e
SHA256 b54ebec9c4338158141364a7bae638f3f9043f73c8dfd9401c5c7bad3901f9e8
SHA512 c14fb0188d99266aa47313c04963c34dc1b91bd700adc4efd02e81d2cce3bba0d4fdc72207003d4f0b8f1f9b6dbc896a4d27e44550c74fa5c6ae61cbf831e0d2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d40d5326732c4eb43131a12d1179611a
SHA1 66a05dd47dc930b872186c8493be53325daabff8
SHA256 a87d22033104b159d211c812cf25e21022f86be4c1893b8e1905b6fb7a7f295a
SHA512 373a6453aabd869bb544623f44938f7baf2eb27421f3d37c216bc0a874b7a889689787f48f42f8992d2f4365ffddb57eb00783d515ec82bd213b48863f8edc99

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

MD5 d98e78fd57db58a11f880b45bb659767
SHA1 ab70c0d3bd9103c07632eeecee9f51d198ed0e76
SHA256 414035cc96d8bcc87ed173852a839ffbb45882a98c7a6f7b821e1668891deef0
SHA512 aafbd3eee102d0b682c4c854d69d50bac077e48f7f0dd8a5f913c6c73027aed7231d99fc9d716511759800da8c4f0f394b318821e9e47f6e62e436c8725a7831

C:\Users\Admin\AppData\Local\Temp\kyabiylzsfjo.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Users\Admin\AppData\Local\Temp\mi.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

\Program Files\Google\Chrome\updater.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Program Files\Google\Chrome\updater.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\System32\drivers\etc\hosts

MD5 2b19df2da3af86adf584efbddd0d31c0
SHA1 f1738910789e169213611c033d83bc9577373686
SHA256 58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA512 4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

C:\Windows\TEMP\kyabiylzsfjo.xml

MD5 546d67a48ff2bf7682cea9fac07b942e
SHA1 a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90
SHA256 eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a
SHA512 10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

C:\Program Files\Google\Chrome\updater.exe

MD5 38b644718080f19e7d636b8d3709c88a
SHA1 f6a4e61b4b3cef215cb550329d9ff9d8f21742e3
SHA256 70c8aa98511897e762d7764916b51afc1e6c8b4e418479c393ef546bdfc23328
SHA512 1feda87340545edc45b9a5c1a1eade79f2cff2044dede6358facfc74b811d574abece5962655dcd909472190bd90a4247519c74542b086e85faafcd70b0312d5

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-18 18:51

Reported

2023-10-18 18:53

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\E3AA.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\E3AA.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\E3AA.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DD7F.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\FAC0.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\c0315b24-6ff8-47c6-9886-3613e17a8075\\DD7F.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\DD7F.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\E3AA.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E3AA.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F198.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F198.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\F198.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-732 = "Fiji Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-242 = "Samoa Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-41 = "E. South America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-631 = "Tokyo Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-302 = "Romance Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-161 = "Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-722 = "Central Pacific Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F198.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\E3AA.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\EF6.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 4248 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 3156 wrote to memory of 4248 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 3156 wrote to memory of 4248 N/A N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 3156 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3AA.exe
PID 3156 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3AA.exe
PID 3156 wrote to memory of 3052 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3AA.exe
PID 3156 wrote to memory of 636 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3156 wrote to memory of 636 N/A N/A C:\Windows\system32\regsvr32.exe
PID 636 wrote to memory of 4648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 4648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 4648 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4248 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 3156 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\Temp\EEF7.exe
PID 3156 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\Temp\EEF7.exe
PID 3156 wrote to memory of 3768 N/A N/A C:\Users\Admin\AppData\Local\Temp\EEF7.exe
PID 3156 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\F198.exe
PID 3156 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\F198.exe
PID 3156 wrote to memory of 2536 N/A N/A C:\Users\Admin\AppData\Local\Temp\F198.exe
PID 3156 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAC0.exe
PID 3156 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAC0.exe
PID 3156 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\FAC0.exe
PID 1332 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Windows\SysWOW64\icacls.exe
PID 1332 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Windows\SysWOW64\icacls.exe
PID 1332 wrote to memory of 3420 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Windows\SysWOW64\icacls.exe
PID 1332 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 1332 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 1332 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 3000 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\FAC0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3000 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\FAC0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3000 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\FAC0.exe C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe
PID 3156 wrote to memory of 2116 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFB3.exe
PID 3156 wrote to memory of 2116 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFB3.exe
PID 3156 wrote to memory of 2116 N/A N/A C:\Users\Admin\AppData\Local\Temp\FFB3.exe
PID 1952 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\schtasks.exe
PID 1952 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 1952 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe C:\Windows\SysWOW64\cmd.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4872 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Local\Temp\DD7F.exe C:\Users\Admin\AppData\Local\Temp\DD7F.exe
PID 4152 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 4976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4152 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe
PID 4152 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cacls.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe

"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASNEASd069d2f8f290c5b72ea64c297bd1257890066924f241dddbf45e66d6d15fb449exeexeexe_JC.exe"

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

C:\Users\Admin\AppData\Local\Temp\E3AA.exe

C:\Users\Admin\AppData\Local\Temp\E3AA.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EC08.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EC08.dll

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

C:\Users\Admin\AppData\Local\Temp\EEF7.exe

C:\Users\Admin\AppData\Local\Temp\EEF7.exe

C:\Users\Admin\AppData\Local\Temp\F198.exe

C:\Users\Admin\AppData\Local\Temp\F198.exe

C:\Users\Admin\AppData\Local\Temp\FAC0.exe

C:\Users\Admin\AppData\Local\Temp\FAC0.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c0315b24-6ff8-47c6-9886-3613e17a8075" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

"C:\Users\Admin\AppData\Local\Temp\DD7F.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

"C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe"

C:\Users\Admin\AppData\Local\Temp\FFB3.exe

C:\Users\Admin\AppData\Local\Temp\FFB3.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN yiueea.exe /TR "C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "yiueea.exe" /P "Admin:N"&&CACLS "yiueea.exe" /P "Admin:R" /E&&echo Y|CACLS "..\577f58beff" /P "Admin:N"&&CACLS "..\577f58beff" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

"C:\Users\Admin\AppData\Local\Temp\DD7F.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2116 -ip 2116

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:N"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4212 -ip 4212

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 340

C:\Users\Admin\AppData\Local\Temp\EF6.exe

C:\Users\Admin\AppData\Local\Temp\EF6.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "yiueea.exe" /P "Admin:R" /E

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\577f58beff" /P "Admin:R" /E

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Users\Admin\AppData\Local\Temp\EF6.exe

"C:\Users\Admin\AppData\Local\Temp\EF6.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\explorer.exe

C:\Windows\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 121.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 onualituyrs.org udp
US 8.8.8.8:53 sumagulituyo.org udp
US 34.94.245.237:80 sumagulituyo.org tcp
US 8.8.8.8:53 snukerukeutit.org udp
US 104.198.2.251:80 snukerukeutit.org tcp
US 8.8.8.8:53 237.245.94.34.in-addr.arpa udp
US 8.8.8.8:53 lightseinsteniki.org udp
SG 34.143.166.163:80 lightseinsteniki.org tcp
US 8.8.8.8:53 251.2.198.104.in-addr.arpa udp
US 8.8.8.8:53 liuliuoumumy.org udp
US 8.8.8.8:53 163.166.143.34.in-addr.arpa udp
SG 34.143.166.163:80 liuliuoumumy.org tcp
US 8.8.8.8:53 stualialuyastrelia.net udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
US 8.8.8.8:53 17.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.0:443 api.2ip.ua tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 alayyadcare.com udp
PS 213.6.54.58:443 alayyadcare.com tcp
US 8.8.8.8:53 18.192.137.79.in-addr.arpa udp
US 8.8.8.8:53 58.54.6.213.in-addr.arpa udp
US 8.8.8.8:53 montereyclub.org udp
US 172.67.196.133:443 montereyclub.org tcp
US 8.8.8.8:53 loveperry.org udp
US 104.21.86.8:443 loveperry.org tcp
US 8.8.8.8:53 133.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
RU 79.137.192.18:80 79.137.192.18 tcp
US 8.8.8.8:53 8.86.21.104.in-addr.arpa udp
RU 91.215.85.17:80 stualialuyastrelia.net tcp
RU 85.209.11.85:41140 tcp
US 8.8.8.8:53 85.11.209.85.in-addr.arpa udp
BG 171.22.28.236:38306 tcp
US 8.8.8.8:53 236.28.22.171.in-addr.arpa udp
US 8.8.8.8:53 stalagmijesarl.com udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 31.26.214.95.in-addr.arpa udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 95.214.26.31:80 stalagmijesarl.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 b67b603c-9596-478c-b705-b69c054b91ab.uuid.alldatadump.org udp
US 8.8.8.8:53 server7.alldatadump.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server7.alldatadump.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
SG 74.125.24.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.24.125.74.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.0:443 walkinglate.com tcp
US 8.8.8.8:53 0.96.114.188.in-addr.arpa udp
BG 185.82.216.108:443 server7.alldatadump.org tcp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp

Files

memory/2652-1-0x00000000008E0000-0x00000000009E0000-memory.dmp

memory/2652-2-0x0000000000400000-0x00000000005AF000-memory.dmp

memory/2652-3-0x0000000000850000-0x000000000085B000-memory.dmp

memory/3156-4-0x0000000002BB0000-0x0000000002BC6000-memory.dmp

memory/2652-5-0x0000000000400000-0x00000000005AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\E3AA.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

C:\Users\Admin\AppData\Local\Temp\E3AA.exe

MD5 73c0d14591b9438fd544c80ccee4fef1
SHA1 8eb8e501098dd00627bd7a63e0f01feb861eeac6
SHA256 ce66fdbd46087bff9a4114ed8b5268b1ba3aff912f3a9a9ce8374874092a8219
SHA512 d0c2a4baf90194865cb91cf825f16c9c546c18e1577331068a893cc09a42296b507fea01c4daad2a99d9a7e9e45453409fdb7e456b912517be4bc18c68bffc0f

memory/3052-22-0x0000000000240000-0x000000000097E000-memory.dmp

memory/3052-23-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-24-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-25-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-26-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-27-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-28-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-29-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-30-0x0000000077B34000-0x0000000077B36000-memory.dmp

memory/3052-34-0x0000000000240000-0x000000000097E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC08.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/3052-36-0x0000000005890000-0x0000000005E34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC08.dll

MD5 b22087ac0a2a7243e85d54a92654b666
SHA1 8e131975d080cf7ab254f8c9f52ec456ce6d03ad
SHA256 4cd083e241348bf34cc2fe65a443f49bb4ecbbece875f3b4739036a6ac3001c4
SHA512 70d9ea6624b432a3ad60d52f1096437509391c41c8db5ae0cc29050ad45b16d634d5485c65eb4d187eb8ced1958a7037e291650234e1be41489131dfe86a4dd1

memory/1332-42-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4648-44-0x00000000008F0000-0x00000000008F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEF7.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

memory/1332-52-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3052-49-0x0000000005520000-0x00000000055BC000-memory.dmp

memory/1332-48-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/4648-43-0x0000000010000000-0x00000000101D2000-memory.dmp

memory/4248-41-0x0000000002550000-0x000000000266B000-memory.dmp

memory/3052-40-0x00000000052E0000-0x0000000005372000-memory.dmp

memory/4248-39-0x00000000009F0000-0x0000000000A87000-memory.dmp

memory/1332-53-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3052-59-0x0000000005490000-0x000000000549A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EEF7.exe

MD5 276f4535df7de6a669a52a4e715f678c
SHA1 4ca1872fd68cf09060c344ecae344e5337d0f0fd
SHA256 e09d5baecda5561c71711ca31bf6b3a2c40d3e5d711c035f763a3456b7dd456f
SHA512 6316d85c668a9ac0eaf60047127237f8c95f54ea640318a80ed35a60ae899d2308dca6008f2ed71c23cf416e1a95486d5a265e2939a4b252f1e8f878f854dd89

C:\Users\Admin\AppData\Local\Temp\F198.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

C:\Users\Admin\AppData\Local\Temp\F198.exe

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/2536-65-0x0000000000B70000-0x0000000000C70000-memory.dmp

memory/2536-66-0x0000000000920000-0x0000000000929000-memory.dmp

memory/2536-67-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/3052-68-0x0000000000240000-0x000000000097E000-memory.dmp

memory/3052-69-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-72-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-73-0x0000000076C20000-0x0000000076D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FAC0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\FAC0.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\c0315b24-6ff8-47c6-9886-3613e17a8075\DD7F.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

memory/3052-91-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3052-90-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4648-92-0x0000000000900000-0x0000000000A26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFB3.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/1332-96-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FFB3.exe

MD5 1ce0912c72e8d0bfa728e6a229b04330
SHA1 071804aecef07ef6e2a43cacc9dbacf64a8a2232
SHA256 b508ccb2b80bb777fae721ed1d4b515129e2381ec79044c5bc0e0a10a6060273
SHA512 209a84c8aa4ab135d3983151057b1aea732f3700f3c98fc854bc524d219edf7ba5ed0e4ae6dcb0cf92e3444085219a515ab2cc402e5537c16b22387d7648073e

memory/3052-100-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4648-101-0x0000000002390000-0x0000000002499000-memory.dmp

memory/4648-102-0x0000000002390000-0x0000000002499000-memory.dmp

memory/4648-104-0x0000000002390000-0x0000000002499000-memory.dmp

memory/4648-105-0x0000000002390000-0x0000000002499000-memory.dmp

memory/3052-106-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/4872-108-0x0000000002510000-0x00000000025A2000-memory.dmp

memory/2116-111-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

memory/4212-114-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2116-113-0x0000000000920000-0x000000000092B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DD7F.exe

MD5 22a70a0b71715402d1a4c2b912fa901f
SHA1 d5373bfe847966630647e1b416c00c2075c8d41d
SHA256 515eaeffdbc3065d08c165706e8be7a07dc778e2548b01ea566ed6308a3ecbf5
SHA512 ce9877a36012f2a06559ce0dafedec357884291ecc801f292429e0264d0e844b677455a8f800bd9ec1e99ae8c341f15fc2306cde6a6ed3d8d24a1a7e23f938cc

memory/4212-115-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4212-118-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2116-116-0x0000000000400000-0x00000000007CF000-memory.dmp

memory/3156-119-0x0000000002B90000-0x0000000002BA6000-memory.dmp

memory/2536-121-0x0000000000400000-0x00000000007CF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF6.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Local\Temp\EF6.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

memory/1232-129-0x0000000000B20000-0x0000000000B8B000-memory.dmp

memory/1232-130-0x0000000000E00000-0x0000000000E75000-memory.dmp

memory/1232-131-0x0000000000B20000-0x0000000000B8B000-memory.dmp

memory/5012-135-0x00000000003A0000-0x00000000003A7000-memory.dmp

memory/5012-134-0x0000000000390000-0x000000000039C000-memory.dmp

memory/5012-140-0x0000000000390000-0x000000000039C000-memory.dmp

memory/1056-160-0x0000000002A80000-0x0000000002E85000-memory.dmp

memory/1056-161-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/1056-162-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/1232-163-0x0000000000B20000-0x0000000000B8B000-memory.dmp

memory/3052-164-0x0000000005500000-0x000000000551C000-memory.dmp

memory/3052-165-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-166-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-168-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-170-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-172-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-174-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-176-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-178-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-180-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-182-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-184-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-186-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3052-188-0x0000000005500000-0x0000000005515000-memory.dmp

memory/3528-189-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3528-191-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/3052-193-0x00000000057A0000-0x00000000057B0000-memory.dmp

memory/3052-194-0x0000000000240000-0x000000000097E000-memory.dmp

memory/3528-196-0x0000000008B80000-0x0000000009198000-memory.dmp

memory/3052-195-0x0000000076C20000-0x0000000076D10000-memory.dmp

memory/3528-197-0x0000000007D60000-0x0000000007D72000-memory.dmp

memory/3528-198-0x0000000007E90000-0x0000000007F9A000-memory.dmp

memory/3528-199-0x0000000007DC0000-0x0000000007DFC000-memory.dmp

memory/3528-200-0x0000000007E20000-0x0000000007E6C000-memory.dmp

memory/3528-201-0x0000000008690000-0x00000000086F6000-memory.dmp

memory/1056-202-0x0000000002A80000-0x0000000002E85000-memory.dmp

memory/3528-203-0x0000000009480000-0x00000000094F6000-memory.dmp

memory/3528-204-0x00000000096D0000-0x0000000009892000-memory.dmp

memory/3528-205-0x0000000009DD0000-0x000000000A2FC000-memory.dmp

memory/1056-206-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/3528-207-0x0000000009600000-0x000000000961E000-memory.dmp

memory/2556-208-0x0000000004B00000-0x0000000004B36000-memory.dmp

memory/1056-209-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/2556-210-0x0000000075020000-0x00000000757D0000-memory.dmp

memory/1056-211-0x0000000000400000-0x0000000000D1B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_reya4jpn.odi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1880-230-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EF6.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Users\Admin\AppData\Roaming\sdvfagh

MD5 5d2f4dced61a5ca942ddd8df3e2646d9
SHA1 87a53a110db93a85c2088424ff4d3feeb24ab82f
SHA256 911a05caef8cb0bbe510c0831c0f51dab5f5e9cc6bede193167bf13d630df618
SHA512 9770d4bab8ae0d0ae777c232e87f3a43375115faca33d1a8e3e459cd98e3987ddee73166a290c93a392ec007974505f965324463b4a24d9be0c051108b3e1bd6

memory/1056-274-0x0000000000400000-0x0000000000D1B000-memory.dmp

memory/400-305-0x0000000000F70000-0x0000000000F7B000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

MD5 c671d50d589ce7be9ad3ff4035e6ad63
SHA1 88cdc154077c8264149cb8b19e16ba07901e1dd6
SHA256 fb07948cb75ee2b9967b1a6386eb53a46573ae99c9ecb46f2b377af8df1b7568
SHA512 a40a7500a7896f2200754499c00e74a7b8a53578808d5408e1e31733d03cdeb2b3e520c1d9b71537f2877093b686811b8e20cbb5c8061e4d3e1d75a161cebae9

memory/3100-311-0x0000000000D20000-0x0000000000D2F000-memory.dmp

memory/748-316-0x0000000000830000-0x0000000000839000-memory.dmp

memory/4424-321-0x0000000000E20000-0x0000000000E2C000-memory.dmp

memory/888-326-0x0000000000560000-0x0000000000587000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 eb579cb480fe558d25008756749835d7
SHA1 f964b11c00c7979fd3101177c65184767d3f653b
SHA256 4a03a6cb6719a9946dfee620d7ae888d3b175d0140dc2d1e92c9996191ab3672
SHA512 e26962bd25880a26017527e07a9fe2dd9f12e211ff49dfdeefe718a3dfe8dbc16020774df77a658cc1b32993beb5b1b5f99eaa684af500c0c2a672073e18fec2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1afacc4a6e46baa560ceeceae5ff2c9c
SHA1 501fd0497b0b2d776cc77451f448be4382f302be
SHA256 ff42b60f3b2474ad3f7a0500a0bd8898de6930933345f588c92d3249917e1637
SHA512 f8f146b091636ed58459e975cd19c6163b825aaeaa775a42158333f89f6743a2a3461cf8efe539e95a4c08bea42f60fcc86b12df755cc23c7098b84a3d6b5b3c

C:\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Windows\rss\csrss.exe

MD5 6c9efad2ba2589915879665a1a25a9ac
SHA1 8e94c81e51ad12f20c77da95883a4116a2c7a5c9
SHA256 55dc284e3cd4e026d83777e35f99d93037d20ffb6e2b3adb0f8ec95e8c232433
SHA512 61bb81a757cfb31ddacf7ae6e8b7627bf60a402e16a29dd6a1cd8aacc728529702dee3cf9758fdb6cb8a9e621e0cb8f213c793e913f6ba7a3df17c2db2a06a1c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 97cab70d464e9fb5b5951b8651b30cb1
SHA1 41bf566f3f8d1b5569932a76216dbe914622e186
SHA256 cd901819be46cb170d5ad69be561b76bcc7591830f61f5b671dae81469187c84
SHA512 d17e4da5b111250d67e27da16a8339a47cb338eac62993588750275af6cc9c06c7c13836fd748d51d58b239ff7d9db55bb03fb045a6c4ff0e002d1ac679e55fd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4949e8fb88fa0c88c3728564be15a006
SHA1 916d4589816e8742007328e3b231dda580c5fedc
SHA256 8725ec19f5974185858ddb3083ab0506518eee56f609a92172dd7020b32fc28e
SHA512 193ae81ea4d0645251cd17d429849d7c907e12e695a6c28e0e7022e1f391f1489ceaf89a3c23180ff0a0a4965f77fdfb13cf61a24b85d89281b895fd9f0e12e1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 350dd252d926a7b43c7e3cb1ddaf4dc6
SHA1 e7ee600d97cd5d5f2fcfbf130ac7aa844ccf716e
SHA256 2638bb4a0b2ae14872a9c7cca5b9d8ac17ff859d935997445911a4ee1b67c7aa
SHA512 b33c28d7af2176aeb7caf7000c25199dc2b6d3a1a65c7f5519a9f47e2281abc8a4aa843cf9021e3079a7ad4bbd6ecf001b73f7d9cfc535e111bd5f51959b8e53

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Users\Admin\AppData\Local\Temp\577f58beff\yiueea.exe

MD5 55f845c433e637594aaf872e41fda207
SHA1 1188348ca7e52f075e7d1d0031918c2cea93362e
SHA256 f9f9b154f928549c7a4b484909f41352048ce8148c678f4ec32c807c1d173a39
SHA512 5a9b5e83b41041259060e3a29163cdd5ed271c5d476fa455b40ec9bc32bf4bcddaf3aa1ba23faacc2669be420acb905677ec4fcfb3d69e7b9f7908ae5cbd18a4