Analysis Overview
SHA256
2aadc9ec54b6cc94d7e34cfd993a4e0098d20e571e52867206bab6b1ef9543b3
Threat Level: Known bad
The file NEAS.2aadc9ec54b6cc94d7e34cfd993a4e0098d20e571e52867206bab6b1ef9543b3.exe was found to be: Known bad.
Malicious Activity Summary
Detect Mystic stealer payload
RedLine
ZGRat
RedLine payload
Detect ZGRat V1
Glupteba payload
Mystic
SmokeLoader
SectopRAT payload
SectopRAT
Glupteba
Stops running service(s)
Downloads MZ/PE file
Modifies Windows Firewall
Checks computer location settings
Reads user/profile data of web browsers
UPX packed file
Executes dropped EXE
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-11 11:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-11 11:35
Reported
2023-11-11 11:49
Platform
win10v2004-20231023-en
Max time kernel
60s
Max time network
159s
Command Line
Signatures
Detect Mystic stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Mystic
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
ZGRat
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5726.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7NT5fX20.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zb4Dw26.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\no8Wy13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1xt40Vb6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kh2Vy5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7NT5fX20.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3553.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\37D5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5726.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5AA1.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\NEAS.2aadc9ec54b6cc94d7e34cfd993a4e0098d20e571e52867206bab6b1ef9543b3.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zb4Dw26.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\no8Wy13.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2324 set thread context of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1xt40Vb6.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 3076 set thread context of 3024 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kh2Vy5.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\37D5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\3553.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\NEAS.2aadc9ec54b6cc94d7e34cfd993a4e0098d20e571e52867206bab6b1ef9543b3.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.2aadc9ec54b6cc94d7e34cfd993a4e0098d20e571e52867206bab6b1ef9543b3.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zb4Dw26.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zb4Dw26.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\no8Wy13.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\no8Wy13.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1xt40Vb6.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1xt40Vb6.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2788 -ip 2788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2788 -s 192
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kh2Vy5.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kh2Vy5.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7NT5fX20.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7NT5fX20.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is64.bat" "
C:\Users\Admin\AppData\Local\Temp\3553.exe
C:\Users\Admin\AppData\Local\Temp\3553.exe
C:\Users\Admin\AppData\Local\Temp\37D5.exe
C:\Users\Admin\AppData\Local\Temp\37D5.exe
C:\Users\Admin\AppData\Local\Temp\5726.exe
C:\Users\Admin\AppData\Local\Temp\5726.exe
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\EDE9.exe
C:\Users\Admin\AppData\Local\Temp\EDE9.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\2F78.exe
C:\Users\Admin\AppData\Local\Temp\2F78.exe
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\5485.exe
C:\Users\Admin\AppData\Local\Temp\5485.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe" --nt-service -f "C:\Users\Admin\AppData\Local\Temp\csrss\tor\torrc" --Log "notice file C:\Users\Admin\AppData\Local\Temp\csrss\tor\log.txt"
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WmiPrvSE D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\NextSink\kxfnpp\TypeId.exe
C:\Users\Admin\AppData\Local\NextSink\kxfnpp\TypeId.exe
C:\Users\Admin\AppData\Local\NextSink\kxfnpp\TypeId.exe
C:\Users\Admin\AppData\Local\NextSink\kxfnpp\TypeId.exe
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nvjdnn#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.210.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| RU | 5.42.92.51:19057 | tcp | |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| US | 194.49.94.72:80 | tcp | |
| US | 8.8.8.8:53 | 190.92.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| RU | 5.42.92.51:19057 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| NL | 194.169.175.118:80 | 194.169.175.118 | tcp |
| US | 8.8.8.8:53 | 118.175.169.194.in-addr.arpa | udp |
| RU | 5.42.65.80:80 | 5.42.65.80 | tcp |
| US | 8.8.8.8:53 | 80.65.42.5.in-addr.arpa | udp |
| MD | 176.123.9.142:37637 | tcp | |
| US | 8.8.8.8:53 | 142.9.123.176.in-addr.arpa | udp |
| US | 194.49.94.11:80 | tcp | |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| IT | 185.196.9.161:80 | 185.196.9.161 | tcp |
| US | 8.8.8.8:53 | 161.9.196.185.in-addr.arpa | udp |
| RU | 185.174.136.219:443 | tcp | |
| RU | 5.42.92.51:19057 | tcp | |
| US | 194.49.94.11:80 | tcp | |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| RU | 5.42.64.16:443 | tcp | |
| US | 8.8.8.8:53 | 16.64.42.5.in-addr.arpa | udp |
| IE | 52.111.236.22:443 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| RU | 5.42.92.51:19057 | tcp | |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| RU | 5.42.64.16:443 | tcp | |
| US | 104.21.18.41:80 | tcp | |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 194.49.94.11:80 | tcp | |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| RU | 5.42.92.190:80 | 5.42.92.190 | tcp |
| RU | 5.42.64.16:443 | tcp | |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 199.249.230.77:443 | tcp | |
| US | 194.49.94.11:80 | tcp | |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 8.8.8.8:53 | 77.230.249.199.in-addr.arpa | udp |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| RU | 195.10.205.16:1056 | tcp | |
| US | 104.21.18.41:80 | bluepablo.fun | tcp |
| DE | 92.219.112.13:9001 | tcp | |
| US | 104.21.18.41:80 | tcp | |
| DE | 75.119.152.41:9001 | tcp | |
| FR | 163.5.121.253:9100 | tcp | |
| US | 8.8.8.8:53 | 41.152.119.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.121.5.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.108:443 | tcp | |
| FR | 163.5.121.253:9100 | tcp | |
| DE | 75.119.152.41:9001 | tcp | |
| RU | 5.42.92.51:19057 | tcp | |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.255.34.118:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 118.34.255.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| PL | 51.68.143.81:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.143.68.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zb4Dw26.exe
| MD5 | c21134f24c34fbd86dd48bfd2bdce577 |
| SHA1 | f73d471c798211389e49d3c0d47139e8005a389c |
| SHA256 | 03c6e820bd7107528d5387f7775a509e3d0cba651195d26fa555627a653fd2bf |
| SHA512 | d4e707fa168ec6b1a9b8db846a86722163346eacb410c74b64d819fdd8bc55b6e5eaf5dba0b9b86678fe8bd4a94aba4e72ee0abb839ff86410276b92a0d8d171 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\zb4Dw26.exe
| MD5 | c21134f24c34fbd86dd48bfd2bdce577 |
| SHA1 | f73d471c798211389e49d3c0d47139e8005a389c |
| SHA256 | 03c6e820bd7107528d5387f7775a509e3d0cba651195d26fa555627a653fd2bf |
| SHA512 | d4e707fa168ec6b1a9b8db846a86722163346eacb410c74b64d819fdd8bc55b6e5eaf5dba0b9b86678fe8bd4a94aba4e72ee0abb839ff86410276b92a0d8d171 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\no8Wy13.exe
| MD5 | 617ff02772e67d8d8a978fd731c02c56 |
| SHA1 | faafb06b2b1d643d5ff0d3b1b0bd01b7d2fb5f88 |
| SHA256 | 738db379b5914e22803f7e9a3cf9bce91ce4cba50bac698ae2841e854f8b7d30 |
| SHA512 | f28ae6c165cb1c8db941a5032eecc4b3498691c36482fd385a3d2d8403942c1281cd8f97e4a66624bc92947612e37c0a91712acbd05968bda05254186a67e596 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\no8Wy13.exe
| MD5 | 617ff02772e67d8d8a978fd731c02c56 |
| SHA1 | faafb06b2b1d643d5ff0d3b1b0bd01b7d2fb5f88 |
| SHA256 | 738db379b5914e22803f7e9a3cf9bce91ce4cba50bac698ae2841e854f8b7d30 |
| SHA512 | f28ae6c165cb1c8db941a5032eecc4b3498691c36482fd385a3d2d8403942c1281cd8f97e4a66624bc92947612e37c0a91712acbd05968bda05254186a67e596 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1xt40Vb6.exe
| MD5 | 784667bb96ccb30c4cf44f2c5f493769 |
| SHA1 | 28185165ab4dbbb4a139ae1af0bb6934ebe05c04 |
| SHA256 | 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9 |
| SHA512 | 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\1xt40Vb6.exe
| MD5 | 784667bb96ccb30c4cf44f2c5f493769 |
| SHA1 | 28185165ab4dbbb4a139ae1af0bb6934ebe05c04 |
| SHA256 | 1025fb084bca865df30e69eea7a9a4a3c852626e148b340de661e6f5b63bc1c9 |
| SHA512 | 62c9def097f132cdb26b11e586f3e15407b9eb9e9e32f79460a3be1bd4c8e046db8488f754cd1c1cc4fe4025a3f9bc9484e94eae0c7d273050f8e6548d12bc20 |
memory/2788-21-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2788-22-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2788-25-0x0000000000400000-0x0000000000433000-memory.dmp
memory/2788-23-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe
| MD5 | b938034561ab089d7047093d46deea8f |
| SHA1 | d778c32cc46be09b107fa47cf3505ba5b748853d |
| SHA256 | 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161 |
| SHA512 | 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2pG2056.exe
| MD5 | b938034561ab089d7047093d46deea8f |
| SHA1 | d778c32cc46be09b107fa47cf3505ba5b748853d |
| SHA256 | 260784b1afd8b819cb6ccb91f01090942375e527abdc060dd835992d88c04161 |
| SHA512 | 4909585c112fba3575e07428679fd7add07453e11169f33922faca2012d8e8fa6dfb763d991c68d3b4bbc6e78b6f37d2380c502daada325d73c7fff6c647769b |
memory/4536-29-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3304-30-0x0000000002C70000-0x0000000002C86000-memory.dmp
memory/4536-32-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kh2Vy5.exe
| MD5 | 14d9834611ad581afcfea061652ff6cb |
| SHA1 | 802f964d0be7858eb2f1e7c6fcda03501fd1b71c |
| SHA256 | e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60 |
| SHA512 | cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\6kh2Vy5.exe
| MD5 | 14d9834611ad581afcfea061652ff6cb |
| SHA1 | 802f964d0be7858eb2f1e7c6fcda03501fd1b71c |
| SHA256 | e6e9b3d830f2d7860a09d596576e8ab0131c527b47dda73fe727b71b44c8cf60 |
| SHA512 | cbef1f44eb76d719c60d857a567a3fc700d62751111337cd4f8d30deae6901dc361320f28dac5ec5468420419eed66cada20f4c90fe07db6a3f8cf959eba31b5 |
memory/3024-37-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7NT5fX20.exe
| MD5 | 41f91a31477bf75671a9228af978610c |
| SHA1 | 3fb03645688140f64ef39e7a4195e318751a2baa |
| SHA256 | cf866e414e554edee2dbd45a7de7563c6d891d533110d392634807338a7e87a1 |
| SHA512 | 0266c28c3cb1ffed173a8a43e00f79142b5f158169ddfbbdc8c5f90fb133e1d15228472b7bd8abc821e554790f04855448bdc7b4800733b26e016d1f37b79da8 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7NT5fX20.exe
| MD5 | 41f91a31477bf75671a9228af978610c |
| SHA1 | 3fb03645688140f64ef39e7a4195e318751a2baa |
| SHA256 | cf866e414e554edee2dbd45a7de7563c6d891d533110d392634807338a7e87a1 |
| SHA512 | 0266c28c3cb1ffed173a8a43e00f79142b5f158169ddfbbdc8c5f90fb133e1d15228472b7bd8abc821e554790f04855448bdc7b4800733b26e016d1f37b79da8 |
memory/3024-43-0x0000000074860000-0x0000000075010000-memory.dmp
memory/3024-45-0x0000000007C90000-0x0000000008234000-memory.dmp
memory/3024-47-0x00000000077C0000-0x0000000007852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is64.txt
| MD5 | a5ea0ad9260b1550a14cc58d2c39b03d |
| SHA1 | f0aedf295071ed34ab8c6a7692223d22b6a19841 |
| SHA256 | f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04 |
| SHA512 | 7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74 |
C:\Users\Admin\AppData\Local\Temp\is64.bat
| MD5 | 225edee1d46e0a80610db26b275d72fb |
| SHA1 | ce206abf11aaf19278b72f5021cc64b1b427b7e8 |
| SHA256 | e1befb57d724c9dc760cf42d7e0609212b22faeb2dc0c3ffe2fbd7134ff69559 |
| SHA512 | 4f01a2a248a1322cb690b7395b818d2780e46f4884e59f1ab96125d642b6358eea97c7fad6023ef17209b218daa9c88d15ea2b92f124ecb8434c0c7b4a710504 |
memory/3024-53-0x0000000007A00000-0x0000000007A10000-memory.dmp
memory/3024-54-0x00000000079C0000-0x00000000079CA000-memory.dmp
memory/3024-55-0x0000000008860000-0x0000000008E78000-memory.dmp
memory/3024-57-0x0000000007AA0000-0x0000000007AB2000-memory.dmp
memory/3024-56-0x0000000007B70000-0x0000000007C7A000-memory.dmp
memory/3024-58-0x0000000007B00000-0x0000000007B3C000-memory.dmp
memory/3024-59-0x0000000008240000-0x000000000828C000-memory.dmp
memory/3024-60-0x0000000074860000-0x0000000075010000-memory.dmp
memory/3024-61-0x0000000007A00000-0x0000000007A10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3553.exe
| MD5 | f6079a0d6e9c3d6c80af8adb5033b007 |
| SHA1 | c111e23c945fc86bf81729112ba1c0acdab479a0 |
| SHA256 | fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7 |
| SHA512 | 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf |
C:\Users\Admin\AppData\Local\Temp\3553.exe
| MD5 | f6079a0d6e9c3d6c80af8adb5033b007 |
| SHA1 | c111e23c945fc86bf81729112ba1c0acdab479a0 |
| SHA256 | fed9fe7c0027acbfeb05ae652b70d981ed3aabb54559eb6bfb1ba24a27e1c3a7 |
| SHA512 | 02f4609bad9babbd141e2e80e923a99b6e03969fbbf53ad1f99f1839da83076c41dd8765df081587bba466437ff64f292c672616addcae524e1e4909bc7c44bf |
memory/3844-66-0x0000000000400000-0x000000000046F000-memory.dmp
memory/3844-68-0x0000000000550000-0x00000000005AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\37D5.exe
| MD5 | 0592c6d7674c77b053080c5b6e79fdcb |
| SHA1 | 693339ede19093e2b4593fda93be0b140be69141 |
| SHA256 | fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14 |
| SHA512 | 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb |
C:\Users\Admin\AppData\Local\Temp\37D5.exe
| MD5 | 0592c6d7674c77b053080c5b6e79fdcb |
| SHA1 | 693339ede19093e2b4593fda93be0b140be69141 |
| SHA256 | fe19cdb149ecd8fd116f048852dcc10e46a3521351102685ce25c61a7d962a14 |
| SHA512 | 37f2ff110b0702229b888280c8c2dff7885e6b1e583ccc47c36e74f44adfa491f70d6d6ab95d79149437d6fd9400448f1046eee3676ea98dffe99bc28e4783cb |
memory/3844-75-0x0000000074860000-0x0000000075010000-memory.dmp
memory/3276-76-0x00000000006D0000-0x00000000006EE000-memory.dmp
memory/3276-77-0x0000000074860000-0x0000000075010000-memory.dmp
memory/3844-78-0x00000000075B0000-0x00000000075C0000-memory.dmp
memory/3276-79-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/3844-80-0x0000000008100000-0x0000000008166000-memory.dmp
memory/3844-81-0x0000000008A10000-0x0000000008A86000-memory.dmp
memory/3844-82-0x0000000008AE0000-0x0000000008CA2000-memory.dmp
memory/3844-83-0x0000000008CB0000-0x00000000091DC000-memory.dmp
memory/3844-84-0x00000000092E0000-0x00000000092FE000-memory.dmp
memory/3844-85-0x0000000005CB0000-0x0000000005D00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5726.exe
| MD5 | c6efb8a96d16975e226f757619892d09 |
| SHA1 | fe1d7fc49e6ca211930347334eb27b0d64d9b5dc |
| SHA256 | 2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c |
| SHA512 | d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec |
C:\Users\Admin\AppData\Local\Temp\5726.exe
| MD5 | c6efb8a96d16975e226f757619892d09 |
| SHA1 | fe1d7fc49e6ca211930347334eb27b0d64d9b5dc |
| SHA256 | 2f831895016ec2f255ca65fb3fb7b7aac1c5f8bd07569fd170bba8dabca86f7c |
| SHA512 | d373614d6d4fb31449212936d62f4584b8023a9c4776e7fc94634b0c494137287f7bf9b2296a4f8e1b43055fd73377322a4bae01407ea95615723f7a2e4cd8ec |
memory/3060-90-0x0000000074860000-0x0000000075010000-memory.dmp
memory/3060-91-0x0000000000890000-0x000000000152A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
memory/3344-97-0x0000021486260000-0x000002148634E000-memory.dmp
memory/3344-98-0x00000214A07E0000-0x00000214A08C0000-memory.dmp
memory/3344-99-0x00007FF8F2F10000-0x00007FF8F39D1000-memory.dmp
memory/3344-101-0x00000214A0930000-0x00000214A0A10000-memory.dmp
memory/3344-100-0x00000214A07D0000-0x00000214A07E0000-memory.dmp
memory/3344-106-0x00000214A0A10000-0x00000214A0AD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
memory/3344-107-0x00000214A0BE0000-0x00000214A0CA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
memory/3344-121-0x00000214A0770000-0x00000214A07BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup5.exe
| MD5 | bc3354a4cd405a2f2f98e8b343a7d08d |
| SHA1 | 4880d2a987354a3163461fddd2422e905976c5b2 |
| SHA256 | fffc160a4c555057143383fec606841cd2c319f79f52596e0d27322a677dca0b |
| SHA512 | fe349af0497e2aa6933b1acfea9fecd2c1f16da009a06ac7d7f638353283da3ef04e9c3520d33bae6e15ea6190420a27be97f46e5553a538b661af226c241c6b |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 00e93456aa5bcf9f60f84b0c0760a212 |
| SHA1 | 6096890893116e75bd46fea0b8c3921ceb33f57d |
| SHA256 | ff3025f9cf19323c5972d14f00f01296d6d7a71547eca7e4016bfd0e1f27b504 |
| SHA512 | abd2be819c7d93bd6097155cf84eaf803e3133a7e0ca71f9d9cbc3c65e4e4a26415d2523a36adafdd19b0751e25ea1a99b8d060cad61cdfd1f79adf9cd4b4eca |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
memory/4460-147-0x0000000000400000-0x00000000004AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5AA1.exe
| MD5 | d497d6f5d3b74379d1ca2e1abde20281 |
| SHA1 | 937aac5cf9191e833724edda2742ed115a5237c7 |
| SHA256 | a1765648a41eea21fd942776cba9b50705673d8f7564ae7f8c9751eda9e2e564 |
| SHA512 | bdb28622542e3b34e40b37a189a967b6136963200fec616c6147fd36bb543b94a7d64128d5fbd65a5358b1131dc265c7cbdb1240fece3e8c09652b97c4c025a6 |
memory/4460-153-0x0000017D9C720000-0x0000017D9C804000-memory.dmp
memory/3060-155-0x0000000074860000-0x0000000075010000-memory.dmp
memory/3344-156-0x00007FF8F2F10000-0x00007FF8F39D1000-memory.dmp
memory/4460-158-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-157-0x00007FF8F2F10000-0x00007FF8F39D1000-memory.dmp
memory/2284-149-0x0000000002830000-0x0000000002831000-memory.dmp
memory/4460-154-0x0000017D9C850000-0x0000017D9C860000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\5AA1.exe.log
| MD5 | 9f5d0107d96d176b1ffcd5c7e7a42dc9 |
| SHA1 | de83788e2f18629555c42a3e6fada12f70457141 |
| SHA256 | d0630b8466cebaaf92533826f6547b6f36a3c480848dc38d650acd52b522a097 |
| SHA512 | 86cfaa3327b59a976ddd4a5915f3fe8c938481344fcbd10e7533b4c5003673d078756e62435940471658a03504c3bc30603204d6a133727a3f36c96d08714c61 |
memory/4460-159-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-161-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
memory/3844-125-0x0000000074860000-0x0000000075010000-memory.dmp
memory/4460-163-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-165-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-167-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-169-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-171-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-173-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-175-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-177-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-179-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-181-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-184-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-186-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-189-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-191-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-193-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-195-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-197-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-199-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-201-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-203-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-205-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/4460-207-0x0000017D9C720000-0x0000017D9C801000-memory.dmp
memory/3276-215-0x0000000074860000-0x0000000075010000-memory.dmp
memory/4764-217-0x00000000008F0000-0x00000000009F0000-memory.dmp
memory/2972-223-0x0000000002AB0000-0x0000000002EB5000-memory.dmp
memory/4764-220-0x00000000022E0000-0x00000000022E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | dcbd05276d11111f2dd2a7edf52e3386 |
| SHA1 | f5dc6d418d9fb2d2cfa4af440ec4ff78da8f11ec |
| SHA256 | cea5245bab036b03f89d549c71f47df8a14854b0de515643bf95319ec5af71d4 |
| SHA512 | 5f1a9c993cd5394e23b39c43cc7479355c922d1ee8ea48109bbad805209dee697e20759257eca9e2f1b75d34a8c4b4c428a736fa8a468dc18de6c44cb6394846 |
memory/1764-225-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2972-227-0x0000000002EC0000-0x00000000037AB000-memory.dmp
memory/2972-232-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1700-584-0x0000000000EB0000-0x0000000000EE6000-memory.dmp
memory/3276-593-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/1700-594-0x0000000004D30000-0x0000000005358000-memory.dmp
memory/1700-597-0x0000000074860000-0x0000000075010000-memory.dmp
memory/1700-601-0x0000000000F00000-0x0000000000F10000-memory.dmp
memory/1700-600-0x0000000000F00000-0x0000000000F10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5x3wrr1o.e3x.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1700-622-0x0000000005580000-0x00000000055A2000-memory.dmp
memory/1700-629-0x0000000005680000-0x00000000056E6000-memory.dmp
memory/1700-633-0x0000000005760000-0x0000000005AB4000-memory.dmp
memory/1700-666-0x0000000005C20000-0x0000000005C3E000-memory.dmp
memory/1764-684-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1700-702-0x00000000061E0000-0x0000000006224000-memory.dmp
memory/1700-721-0x0000000000F00000-0x0000000000F10000-memory.dmp
memory/1700-747-0x0000000007640000-0x0000000007CBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7327a5944b67f3700117527c3e0a88f7 |
| SHA1 | 542cc8ecf5b1d6d2d41c2587a21d60442e90ba56 |
| SHA256 | 35c43d4996e329c3e355a0623947d59b064b71f2f90e4aef3cc86f0040574230 |
| SHA512 | 6748b123967d80855139151c72aba5ccf9f49c6ef4dc7da013009664cc5db763c20e2134b654ae42a1f892666e2d61c1775e7617f1f4eec358708567ec9aa789 |
C:\Users\Admin\AppData\Local\Temp\EDE9.exe
| MD5 | 4bb2473f19d24fbd573a45050f59ea62 |
| SHA1 | 32cc57c1f1f0716e810b9dfdf101dddc02faeb0b |
| SHA256 | 064c16bb2715e8f8713605c4ffc75962302cf0c8a7b06dbac92b40a05f1dd3bf |
| SHA512 | d82387755e966880251965328e7e8281bba4517b4cb6ff0959c972853bb8bb59d6513d48755d56f091b611ed3c4ef101a6e04696606f2267646300e73de0c5b3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | af1aa5a9684bc60122b6734d0d5082dc |
| SHA1 | 76a57ff899846a652b970ca0903a0efdfb7e2bb7 |
| SHA256 | 31e4b760ce1823dc98b80bdbf9f5235f16c2f169df6dda4a651991fb9e06aa21 |
| SHA512 | f641e30ed734a51577f523c3fe375a8415be1c101c180d32fdae0bd99140d5cf5730545cc01511bbfbc1fd063821f7586e5cef873635a13297b8092a3f3738a7 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Windows\rss\csrss.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Windows\rss\csrss.exe
| MD5 | c067b4583e122ce237ff22e9c2462f87 |
| SHA1 | 8a4545391b205291f0c0ee90c504dc458732f4ed |
| SHA256 | a16dbcd03a7549fbaf7cad1bedd01dcb961a5d43c873f1d1a50892618a06662e |
| SHA512 | 0767cba9f10154b4e28cf6a55b6fc827a96c4fbc88e2d67acd645a0a7a604a3beb63ea58d7febcf8b17de1ea3d2097e76ceac1b36b9fecf9a0945a31a9e211c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d28a889fd956d5cb3accfbaf1143eb6f |
| SHA1 | 157ba54b365341f8ff06707d996b3635da8446f7 |
| SHA256 | 21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45 |
| SHA512 | 0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | aa02f805933d903cb8fdf1d4c1d2713d |
| SHA1 | aa4bf3e90d415e0892e1525baa99f7b1ace1dd1f |
| SHA256 | a899490a04609cbf1910cf9842ce394824af236e7e329d889d9734eed3107f0e |
| SHA512 | ef0c5393fc14bc568e43dc54b845c653f3c34774a172b7b635abe420f5bb1cce68bfd105b78fb856ce595e98ad5205f34554ae0a22b2239f830c22657dcc2f35 |
C:\Users\Admin\AppData\Local\Temp\2F78.exe
| MD5 | 4bb2473f19d24fbd573a45050f59ea62 |
| SHA1 | 32cc57c1f1f0716e810b9dfdf101dddc02faeb0b |
| SHA256 | 064c16bb2715e8f8713605c4ffc75962302cf0c8a7b06dbac92b40a05f1dd3bf |
| SHA512 | d82387755e966880251965328e7e8281bba4517b4cb6ff0959c972853bb8bb59d6513d48755d56f091b611ed3c4ef101a6e04696606f2267646300e73de0c5b3 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Program Files\Google\Chrome\updater.exe
| MD5 | bae29e49e8190bfbbf0d77ffab8de59d |
| SHA1 | 4a6352bb47c7e1666a60c76f9b17ca4707872bd9 |
| SHA256 | f91e4ff7811a5848561463d970c51870c9299a80117a89fb86a698b9f727de87 |
| SHA512 | 9e6cf6519e21143f9b570a878a5ca1bba376256217c34ab676e8d632611d468f277a0d6f946ab8705121002d96a89274f38458affe3df3a3a1c75e336d7d66e2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0b82a2354462f2e56b1e9ae66fc7cd82 |
| SHA1 | cc4b61d817abe142afd988270636471641b7425e |
| SHA256 | 4b9bc8830101ac293110c54ecaecc572b5b9aee8d3f9456be3aacba3ce7a4261 |
| SHA512 | 00970b8eeccfd494d92fd0211829350e67c74d868ab7123409c5fbf71dc82110a38946d3a5ab4f02422263c5e7aa3a33898c8ee9f2b5a3b610a7511141b6a0e3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c0dd5ad47db7047e15df12fc39355ee6 |
| SHA1 | 65adc39c49a4f481b827b505a55085f4d24e702a |
| SHA256 | 5eb8b00a837752aa680f47dce356953534a463bc953fece96ac204a573b7a0a3 |
| SHA512 | 7d2cca1bdb13b2ac378abc117af77b6b616795c7d3b791d3c1bfcc6b78fc37ea7a55641ab337c043409ac3be7d057f18d239f3b6e3ed28686a8d12129b25e786 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\5485.exe
| MD5 | 5e2d2087340d2d4e4faa3e945c932a95 |
| SHA1 | da8b6a28923983fe9b1e0b18f0b540df24382851 |
| SHA256 | 63ee50294b30ab0e0569baea7a8b52454ba95264fdce6709d3437a462be9d888 |
| SHA512 | 47e45183467aff329e74f347b83f90a62f1ef5168368c46379c0d0b7defcce1192e5e13dd7fece5b39050386de11152a5001fb3fc7bb8ebdea576008bc90b3d0 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
| MD5 | 055ae7c584a7b012955bf5d874f30cfa |
| SHA1 | f2b4d8c5307ff09607be929ec08fc2727bf03dcf |
| SHA256 | d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8 |
| SHA512 | 910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\tor.exe
| MD5 | 055ae7c584a7b012955bf5d874f30cfa |
| SHA1 | f2b4d8c5307ff09607be929ec08fc2727bf03dcf |
| SHA256 | d51b5bf807f6de3b5521b49b9a722592fb85aee1ea2f1c03bbb5255d62bfb9c8 |
| SHA512 | 910bb0be7a3840bb37cb453ea066677a5327e272cfa0995f7a600bd4eb2e7c31685dcc0758c3b2cf07c7622fd45b2d4cdd3a4272cddaf9e97e2ffc48120646c5 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
| MD5 | 736443b08b5a52b6958f001e8200be71 |
| SHA1 | e56ddc8476aef0d3482c99c5bfaf0f57458b2576 |
| SHA256 | da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4 |
| SHA512 | 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libgcc_s_dw2-1.dll
| MD5 | 36e1c3814bde3418ba3d38517954cb7c |
| SHA1 | 495e1ba5b0b442e70124d33daa6fea4e3e5931b0 |
| SHA256 | b34edd252f46dd881e79cfd274777fe5e90943d511c8e002aeca0528d7f3b4b1 |
| SHA512 | df7b608c51a782ad5cdfd753577a3dcacf4e2515ac02ce9e35b3cbc543895862844e8adcaff983b1348884085cf7427c33a67acc5ce48fe656f5b2083d0813b0 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll
| MD5 | f08b1f044c68770c190daf1eb1f3157e |
| SHA1 | f94103a542459d60434f9ddb6b5f45b11eae2923 |
| SHA256 | 1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27 |
| SHA512 | 0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssl-1_1.dll
| MD5 | d92e59b71bf8a0d827597ed95b2eca42 |
| SHA1 | cfc49ff29eddb7127fbed166a8a1e740ea3dfb9a |
| SHA256 | b6ef5cb4c093431f3e73c53e66df33d08237ba46d457d119a2c4dcae582314e3 |
| SHA512 | be65e003a498e753b08912d697e9b4d8a28828581c17d1e8e20880372a81030ce18610eeff230c8880e68a831041075bb2ebffcf318d29ebf58bc856fac3df04 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\zlib1.dll
| MD5 | f08b1f044c68770c190daf1eb1f3157e |
| SHA1 | f94103a542459d60434f9ddb6b5f45b11eae2923 |
| SHA256 | 1d0278386f8922bdf4808861e6e901541ad23cc6337bb022c78dc05915202f27 |
| SHA512 | 0667416a7515cd845e96d2ad26ca676cffd2d1c9f0449ff05455e8cf6a7ab595d3f972785d051f45332c04f1c0b576726f645e3669122608a4f374e984ba161c |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libevent-2-1-7.dll
| MD5 | 736443b08b5a52b6958f001e8200be71 |
| SHA1 | e56ddc8476aef0d3482c99c5bfaf0f57458b2576 |
| SHA256 | da1f75b9ce5f47cb78a6930a50c08397ee4d9778302746340f4057fcd838dbf4 |
| SHA512 | 9dfcdb1186b089e7961767d427de986ad8e5f7715b7592984349d0b8e7f02198137c83e8c79a096a7475ad9f4695f52539fa08fa65912860ddf0a85515a7cda1 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll
| MD5 | 7cdbaca31739500aefc06dd85a8558ff |
| SHA1 | adc36ec6a3cdc7e57a1b706c820e382627f6cb90 |
| SHA256 | 0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb |
| SHA512 | 6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libssp-0.dll
| MD5 | 7cdbaca31739500aefc06dd85a8558ff |
| SHA1 | adc36ec6a3cdc7e57a1b706c820e382627f6cb90 |
| SHA256 | 0a1dee5dd5234971f7526f3d5f8b7e2cfdcb536e18debd51c985010fb504fbdb |
| SHA512 | 6df8ac9054f27ebbef9642ce79ff7ba836411ea0ed0bd04b3cfe724a336a91f665c2cc0b7a4bfc99a80786d1a6d361b971a7dbb7a298b919a1baa812541841ba |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\libcrypto-1_1.dll
| MD5 | b7c32c8e7d21aa9b79470037227eba43 |
| SHA1 | 38d719b10ca035cee65162c1a44e2c62123d41b4 |
| SHA256 | 99b4042a858a9e437917c8256692e9ba161b87054ccf5e22538e86bb35c34f23 |
| SHA512 | d85345380b9605c8484e11873218aa4eaeea573ca51eedada6d0518695a2b184bb22faf7c5e3d88330935774ced17e9d80c577b06603aa1ca6dab748b0bd15a7 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdesc-consensus.tmp
| MD5 | ee9a96b13c9e201cb1d46dd4ed847101 |
| SHA1 | 5e90ce15e6d84c619ced70055ec2532ab50e5935 |
| SHA256 | 8662e9a63cefc668f233fb3fa1a57be1a925ca8f7df3549bf88f578955cc8d06 |
| SHA512 | 739c49dc786ac0f318731ca8d0a7dbe001b11e7af665296e8d438412e12c5c2e7426c23ec4789791b79c9e16ad6666228b5471243f2d6131ae916f931108ac15 |
C:\Users\Admin\AppData\Local\Temp\csrss\tor\Tor\cached-microdescs.new
| MD5 | 573e9d19e0057727036e7c77348e8fe2 |
| SHA1 | c7c8253a3bf4c26335345f98af2365acf96c4c15 |
| SHA256 | 39d50f54a5a199c4e98b2ca545276ddd96b3e6e86275aa9f8f8fefef5259b2ad |
| SHA512 | 31cb7b004d1d300f75ed6b2deb432f40e0c62ca18426e8f45eaecb152cdcdd6e7ea1755f4a16a9942a1dedf9c93d3c1b551589187c544533e5199687689913e7 |