Malware Analysis Report

2025-06-16 02:13

Sample ID 240124-qxyt6abffm
Target file.exe
SHA256 9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8
Tags
djvu glupteba smokeloader stealc vidar xmrig pub1 backdoor discovery dropper evasion loader miner persistence ransomware stealer trojan upx dcrat infostealer rat rootkit spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

djvu glupteba smokeloader stealc vidar xmrig pub1 backdoor discovery dropper evasion loader miner persistence ransomware stealer trojan upx dcrat infostealer rat rootkit spyware

Djvu Ransomware

DcRat

Vidar

Stealc

Detect Vidar Stealer

Detected Djvu ransomware

Glupteba

Glupteba payload

SmokeLoader

xmrig

XMRig Miner payload

Modifies boot configuration data using bcdedit

Modifies Installed Components in the registry

Creates new service(s)

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Stops running service(s)

Modifies Windows Firewall

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Modifies file permissions

UPX packed file

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Creates scheduled task(s)

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of UnmapMainImage

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 13:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 13:39

Reported

2024-01-24 13:41

Platform

win7-20231215-en

Max time kernel

0s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2468 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2468 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2468 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2468 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2468 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2468 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2468 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2468 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2468 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2468 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2468 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2468 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2468 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2468 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2468 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2468 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2468 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2468 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2468 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2328 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2328 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2328 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2328 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2328 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2328 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2328 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 2468 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240124133917.log C:\Windows\Logs\CBS\CbsPersist_20240124133917.cab

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp

C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\9444.exe

C:\Users\Admin\AppData\Local\Temp\9444.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\c6e7c00f-ed4f-4baf-a3f2-09f2ad2653ec" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

"C:\Users\Admin\AppData\Local\Temp\ABF9.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

"C:\Users\Admin\AppData\Local\Temp\ABF9.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

C:\Users\Admin\AppData\Local\Temp\BA0E.exe

C:\Users\Admin\AppData\Local\Temp\BA0E.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe

"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B155A781-7310-456A-A176-CCDE64BB8557} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe

"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe"

C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe

"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe"

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Users\Admin\AppData\Roaming\ggwvwue

C:\Users\Admin\AppData\Roaming\ggwvwue

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe

"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1444

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\explorer.exe

explorer.exe

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 i.alie3ksgaa.com udp
DE 185.172.128.90:80 185.172.128.90 tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
US 8.8.8.8:53 apps.identrust.com udp
AT 5.42.64.33:80 5.42.64.33 tcp
GB 96.17.179.205:80 apps.identrust.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 17eb924e-a215-48f2-b8bd-8a71ca2d045b.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
RU 158.160.118.17:80 trad-einmyus.com tcp
UZ 195.158.3.162:80 tcp
UZ 195.158.3.162:80 tcp
BA 185.12.79.25:80 habrafa.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
US 8.8.8.8:53 www.microsoft.com udp
FI 65.109.242.152:443 tcp
FI 65.109.242.152:443 tcp
FI 65.109.242.152:443 tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server1.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
IT 142.251.27.127:19302 stun2.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 51.195.43.17:10943 tcp
FI 65.109.242.152:443 tcp

Files

memory/2468-0-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/2468-1-0x00000000008A0000-0x00000000011E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 340b1683c7f31eade2383e5e67c84817
SHA1 9d73425c3db2295a0e58b41ff425041807089123
SHA256 0a3cdce66c251198465c36986e82ca335b8e362bbbfed3007617dc752fed0d9e
SHA512 cc936fa1a5b7fd12702dac490bc71fc68a25decfa73331b6c90f65d11b48c0675b560b6d45b4054fcab412b6ba6e5ff87476fc86b3da03a8cc8e26c160cf3470

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 84449910b7cb5905b82b45940b10aeab
SHA1 899243a105cc2c89e99df9b2cd049dff4b70fcb7
SHA256 6c5b613862e68c6ee28195b8801f3cf8a632f72c52db5d5b6a320d18bd72c5d3
SHA512 afa8ac931ef55326ada993e566973d0a32c3944a23f1d11386b53423b767354b82843e492fd10b9281b4d8426d3c2b145b80709d484c949b2b9d5babf4be99d4

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 ad9a2ed3b4b565cf5617ad703a36628b
SHA1 16fec54fb4c7c4fa8903339f334afad450471e23
SHA256 7203aa7f200c312bc287fc5135e094d963748debaf7d647c55c4cc9620880364
SHA512 303b718a35390dd491368a85954785227440558ca24ed401ceb6ae54a1823ddab57ac99e14213d6a672f084d869492858719735998b574d20b7e8dfc6f200a8b

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 92cff6eba0865f177bfa6ac902195968
SHA1 3a35d48d1b19fb0bfe75841ac5df900e45b7846a
SHA256 31fe5cac6d3fdc4906490af45dcabcc3aa1c5b10f17dadd9834cc000702a8b95
SHA512 b6976e6fa9118254f0962a6c1c4bd8d5284db9f2115588dd439dc3e7e21bf232bdee1c24f10f61098de08ca26f0f5cc89fc0dc83f9db9d95d18bb4202c87a025

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4e996350914f680718c1ee7a12f3ce9f
SHA1 bc4b402a91ffa70f1c3239136b87cd3184901d27
SHA256 a54eadc5b9c6e1ccb2458a68fdff9af0197194f485ed6d74c6e3d0ea6c9e2ed5
SHA512 f61313291beb384c6a7a637bf905d45c05aa54e65f6d59c73a9b4fff09f173f82804835b309c2e849645196914d8899c2fad07538ddaad2e6d13e184ce9f0636

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 7abdb5994d67737d9ca5c41a4ed9b7f9
SHA1 6364a67d592d8e06990cfb39b1cc4d46304b5823
SHA256 bf11eb0e25c7912d7cf0d2a4934ec3c1fbfecc2a43538146b7fc37c8156688ad
SHA512 1349572772ea63a78b781998e1c47d4ff5db933ce1d084d9f8b464b989a26ea09e930e973e324e24a18e707d6b1bb29677a49f5a7c8b508cf8ba0125f62d370c

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 bff932111197ab8b9dbbeb81ff28c97b
SHA1 63a54611ffbe187b12d6dcfc2e852f0eddaa737d
SHA256 a2c2f12de389a7074f3d3a8685c0da90ec9be356388e72711977929b68405bb5
SHA512 63b638cab3d21b4bbb785ff72845daee62cca232a26989c178e65bb103fb8ebcabfb19cb21a2b348139c14e699784d5714af532383eef5866c49eaacd2a61982

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 249ff0763945579dee939de22ff50b7f
SHA1 2bbe781e94a3106d99f5c9cd96d5b59ef1cbe7a7
SHA256 a014d3ea0aae1fa9ed62d457c261246d93acdaafbf2181835f122d8e5fa19f55
SHA512 8ae8be5410203c402a01a1c59f2a64001794c65c4b7594b54b232e544c6c8b580dac10b3190ae105bba3b89b1a0b8cb260d54b53d49883bd2165a3fb57315de2

memory/2496-38-0x00000000002B0000-0x00000000002BB000-memory.dmp

memory/2836-40-0x0000000001040000-0x0000000001438000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso2B75.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2468-56-0x00000000745D0000-0x0000000074CBE000-memory.dmp

memory/2836-57-0x0000000001040000-0x0000000001438000-memory.dmp

memory/2748-59-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2836-60-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2836-58-0x00000000029D0000-0x00000000032BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 94daa27bf85cfb976473a602cd0ffa69
SHA1 3804d5b0953b8eaf2ea4c810d8a6258734b82a48
SHA256 389a38414cfad6d35ccdbfc26ffe8ccadfbf1362329d91f1405f592a3f83004c
SHA512 6b47583566430307f7c8d044ada81e9b871f6677842dbe40336bd7642302d2c5b9958bc6d348739f7573d894e7860f4cdefb13a8194f24b5649899aaa376b50a

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e11a789fa6c6788e9ed9028f48837bf1
SHA1 47d1ed93a094f031a201d72d84d6fb00da839823
SHA256 43fb2abbcccafce48cdf813f92b2d399c56c179a7006a5e9fdc93084a3aedf81
SHA512 54b949c67e4b37054effb2477b908c380c5a6d1d856a76f23ebe796326b5d5b3878bcf288553cf790821db34b3faab6a65b6835b1520c013265277b4316a48c0

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 f857cfcd04bdfdb8cb538d3a66a94f70
SHA1 aa840eb7f535eb82887e8ee9d1004c7bf5ab99cf
SHA256 b392d82bc6d72b5ef2f6841c595b04c7d5a7b5a5ed0463191582c38f0c42094c
SHA512 735f66df755cd05875d0126f8bace026c25a6511a15f0f52386b8454dbbabd4cf33010606046295d16e94de0239e269a08070f25f0dc1962886b8a958d5f6ec6

\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 fcd52c211513be3ed5f4d1023e788220
SHA1 4188be2261137bd25e6d083f62546906f0faa85d
SHA256 35ee19a54e2e668eb969d9b4422242dff0a6f4163d4bc1c988081699f46c9ee7
SHA512 89fabb2cdc8eb83c3a4e239ddfb5f98041166f6deda6a44b6d900bdc537cfef03b9fde3621bee33054cc3e136791fd59b57ce8dd3789f0180e7f98f018261458

\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 44553a433ef17b5e38ee88f39e82b8c1
SHA1 c7fb3405b0be2b9d176e5292954f2199eb3a37d7
SHA256 7d141c59ad9fe6d063f4c76f32e46ed55be52af197b038b0cab4dc63ba1e2e7d
SHA512 668fe8b32bd47d44a60bbb407023f0f4c35ba04a0f8ea9338dc4ea7978f4fe256bf4933dea04cdd5eb89ef4a243aff3bf5427398a38cdc8ee5fb579de31fa528

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 994fb603236c951a6f4b75c558d8bcaf
SHA1 68db6090e4258dbee0efb7c90e11394dc8eeda4c
SHA256 ec5f75ea0fe94f6f157f4b2fc241f53552c594f1c9d4cd09676159ba5e902eb3
SHA512 ecee4b8b979491f8801a298376fb5cb8550ebbe35d3e2e13bd1b0ff357821aa815396cba30f2ddd0da569539cf6f617a7727028ca1035a52ea2d316b41ad4ce6

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 bdaabc7b8ec7dd7996c55c31ab251744
SHA1 01cddc78761208d2839a0b00a49a46e928a6c1c7
SHA256 d680cabd4202dceb30daa365b0cc742e7afe89096e89e8e210267dff608d2a9f
SHA512 43f1d7082ac10901cbd9bce8d485947d8670279b1a6154e28fe76cb92a926e39461c76186123bb3fe3d3031d72f92dfbf2cf4aca0444b646696ef7c3e32b9810

memory/2496-39-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2496-37-0x00000000004C0000-0x00000000005C0000-memory.dmp

memory/3028-34-0x000000013FA90000-0x000000013FAE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 a6fef0562abecca0d7b3567825ae5b99
SHA1 2fa30153197cf09fd9bc36a26c062ee69644be2d
SHA256 dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b
SHA512 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 47a1c6710f1b476047ee3baeb6e080b2
SHA1 bd8f5fa061f2579d439665c79d329d35053c9883
SHA256 1d464103f8f2c7174d7f474f3ed6e69e3b17ae6ce541c1f98c91c092bc4a1d5d
SHA512 bc7d5cd55df22e66b19f8fcde9807771bac63ce4c287e0911c4ccc1893e20fed8280642abaeb2c5ca4b9c292d668fb290d3f58ae76612138bb87025d8a0cfcf7

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a3b3151e3295321280d9ee42e33564d6
SHA1 b002f798e12048e25678e0eb238d198fa29e97db
SHA256 f5a38edb6bae0ad0cef0f2fb777d89af5086b931bfe0d6eeb9ae4ac4b3023b1c
SHA512 aba206036a384807f60e2c8bf0869b2e194a13d953693fbb77a1c9817a110f781922493e81a80e89b29ecdd0cd09b3a5a18c8fae31dde491016c1f4f918c0240

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 783730244f72e8fd8dc9ef24d25249e7
SHA1 e3f5fd77421c7f61df91ccc9d8153db0869b63aa
SHA256 37aebe2e8cf246f96dc8e964f5569285d517023cfe3d08f2a65d786712a63d64
SHA512 ec1475f64f60011c142955c0f9469d0840288e26331af18425a314eba1c67644886bb1beecafd3ad273e2f50dee14ecb4fbc83432d1dbebf2bbef0548bcc8236

C:\Users\Admin\AppData\Local\Temp\Cab3278.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

\Users\Admin\AppData\Local\Temp\nsd3065.tmp

MD5 2e5f120c665d110758a26ddef60c9ed7
SHA1 b03843d0f9525fda7b3c56c362cebea30f545a51
SHA256 45044f714a657c6a425b8f0a9dc1bae87a6cfd870a2d9df649e9b0211a62699f
SHA512 85838ced0150b578be3f6f7314df31e79c248360f494a9ccd679632750f331dcaa8b1d2289fa035a3a09e23d4ff5e812d3f53926afa78fdd6e149f6bc68bbbce

memory/780-95-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp

MD5 e237ea2ecb0c0cd69d6f2fa661665444
SHA1 c63496a1657625323d730d372bc9117284b9b092
SHA256 dd432ee29a73cd4c3b47a2a1dec18ea879c50747a92722e8929cd92db84e5c8d
SHA512 1b2cf3c33a52367364f0c163fd7ad9edaedd0d14e7b0aa61ee314627960ab18c869c0f52d8b350e1e272864891d352f941bfc196590d438f36bbef2b4c7d4228

memory/780-96-0x0000000000220000-0x000000000023C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp

MD5 7593a2cebd47b22f874bcdaf52fac59f
SHA1 87f9f1bce33c6fc46cef0522a37f9a26516b52f2
SHA256 dc54f6dd3d51ce4437f61c6e8438ed4f9834eb1538974450edb48780c03d171a
SHA512 34d22bfaea0a66397c86656d25772895c110451603a200942eb7fc876390a05d6ee2906c0ed823f6617de66bfeef82df02adc6448a94c8e0976ddd7a81eecc6a

\Users\Admin\AppData\Local\Temp\nsd3065.tmp

MD5 4fca63a0c3775856e80ecf0db2b46861
SHA1 58567f226cb4c8d6543e766d494af1f74a2e9920
SHA256 5435090fc411b652a1b6657d5d960052cea068915484edb23cdc175160870a49
SHA512 8a0248aa487c3d89cfbaaa20ed4adb79e22e6eda5c143d6912b6a4377a602441339c42d212582e224639ae05ca03a02d293e1eb8bc1d05b4501e874fa8743296

memory/780-97-0x0000000000400000-0x0000000002B13000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95199fa3f7b7476a5a9a769fa01eeab6
SHA1 9e3fd44a3168e507c5dc4c368b605ddbcdb4eb52
SHA256 941fc4b312f225332eb672f201c68273517f5d643f0671db0d76c96487fe5052
SHA512 289f6f516c1842e15c5f6be306fcef8ef3331a51736a3f7a0d5086bf976261613dd89c196e0e6a0e63a958245830570f78275ca462d405576a53b3a0d2a6abd5

C:\Users\Admin\AppData\Local\Temp\Tar3642.tmp

MD5 cae17bc9c5d74e0e1142b20a7889efdb
SHA1 cfea5f7d29a7dad0a1a25daf18a0cd4cb79cac86
SHA256 4d74c7d252b593f92d04a5538ff5688a4ec720ab664ac723512fbcfa3f5ab691
SHA512 42ba66aa767f8a15ce38f9e72990fe41e4fb2d7266e4334be0bcb7db7ac7eb38e7f3b424bb4fc5583197257e9fefc11ab19285f0881a054f338463fefb483dfd

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c7d23af9487f978ab0a406c240ba7805
SHA1 e13f997871c5af640e5d48e15eb4d1cb776796a4
SHA256 f19f6d8df92fdc3e4367c1aab7db68fb6bc8d047af18fa7a0413d0bfb210a2ae
SHA512 629a9140e1eb32484386dad202d11e77b5fe314d695b007a20db6d44f5309e1b382b160d0c5d1296e10c74443ff07ee9abe0ec3b7c99228a5f9907a3a91fc3f1

memory/636-134-0x0000000000DC0000-0x00000000011B8000-memory.dmp

memory/2836-143-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/636-144-0x0000000000DC0000-0x00000000011B8000-memory.dmp

memory/636-152-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2836-153-0x00000000029D0000-0x00000000032BB000-memory.dmp

\Windows\rss\csrss.exe

MD5 9fd3239211bc1b4bad64b006d062395d
SHA1 fe5ae14fefa3eeab01f59d8e95a38b5c0218e72d
SHA256 8368f580a82b6e5133904bcd22d5728d0f5829870f9a44cd73e768b8cee1cfa4
SHA512 6ed55211944d129f2100df24ab7238c0668607a9bef2e6b2e088034a099692442dcf3bdc4603c295c9d8cddce7b2390b003f6cde346c9cb5c2b149c6a4c8e797

\Windows\rss\csrss.exe

MD5 08c35fbf514289220d9977f2ad9c3d52
SHA1 effc1097f5c64a96482ada1197ef9fcc72b1690d
SHA256 dd40df0137d8a1bca85c564bd73fc184366f10f91e5307f227ea6d9115c5c566
SHA512 3499bb49dd5f4a47b897881e5cf95d118921460c847506563335988e7c05ac30dd6146fe3091888216baf732d1322d60d78f6eab6f1b0b4721344c71f0099e84

memory/636-190-0x0000000000DC0000-0x00000000011B8000-memory.dmp

memory/636-189-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3068-191-0x0000000000E90000-0x0000000001288000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1627592566cfaabcd5dce4abe8e8f75b
SHA1 06198cac326e2d954271b2476b60fe4513ba9252
SHA256 2663f02fb9f2320a838496f5901c2ea5813dd737f6502ea935992f3e15693f21
SHA512 e71db8f3b09790a8748cad6da9aa6f822105df995ef7f01f23d86a32e4bdbd5415c2a0c8c5e3fb3e5ca2b9c8fefca911fd472d45299c5205bddf316dc925a240

memory/3068-192-0x0000000000E90000-0x0000000001288000-memory.dmp

memory/3068-193-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 395c63a099dce9cb7b6057463e7ddbbc
SHA1 515e2695d358289c618f1b7b92ec9bb0ea3f7936
SHA256 b7e049f3bc6e314b3f85c3b175386f67ec4c2a17c9d66d46fe6856448db9ef01
SHA512 442a12a47b1896b505dca496b45e3d7360e9e1c2253b97098e8c93c7410316b0f882d7ec909b731f2ada6248b66beed6be6f8296afa3659a108c644926e9bf74

memory/1204-195-0x0000000002EF0000-0x0000000002F06000-memory.dmp

memory/2496-199-0x00000000002B0000-0x00000000002BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 a46599fc261a24697975679e202bd703
SHA1 cfd38f691fd0be860a9629daa038e621fcf3fdd2
SHA256 aad77432f8be11ad7fe364c3f4de3a1e04dca57ac73fc174d31232ffe2b9fd4a
SHA512 62736745a43fd164266fa5dc09fa78ec6f10684f35bd8a84d3b5597ee8ca08b811f876aaa072aa617f06ef5b7b942f6f5e937609bebb10fb5e177ae935013e22

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 c70dcb42fb9c61fe21d4d18d41658e97
SHA1 17ed5fd2f6b426ebd9d8c4327bc663cc1b784fc7
SHA256 3f5432fa13e8b84bc283b2f13ee796ee13892dbfe317cd60ee927e5981e9e9f6
SHA512 383be85b7b32d56eaa7f04a4685bc78b02fb215e6e0ccb9505a176190b4e361d177a7ed862b4bc10da7aba07ff0f9a56d8b050356207d9e2c91d91273fda52ce

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 e404b4e07729b6ca7e422bffa4151673
SHA1 7f0402cf08597aa1426729b47943e0a4792259ba
SHA256 956cc1ff9b672293062856dcecaf1ce08a313c7d6eae5d57aea61fa3c4eafb4f
SHA512 34c4f524627016aa0746fb9519eee3b4e6cd823ec5097193f4752c0233d7651fbfb59e050382f092d82aeebfc333cb6ee029f2b2de1e30ea1bfa5fa8e25ac36d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 f469e3084fb0a4b03073a4db681efa44
SHA1 828fa36a3a8c8e91dfbb00e6c2e5e5d3c4a3eea6
SHA256 c56ff3aa9da4dda7696ff44c02b9d73321e6753eb1cdf0039f1a97dd18b2fbf0
SHA512 d17a892bacdc9d5e91d9dd3ca296846251b017d48c2547dfa49a2ef769100191bffacb53cc2d7ac2a11b090bae35b24102435cffb18c558d0d11c9a8aebbf0c8

memory/2708-219-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1a0fedcf0711f7bbd6e5412f2972f292
SHA1 111d00b6c0a5d6f377305138532eaaa3e250d556
SHA256 e30694c9cdc59347cf505f3085ff3823844013ec0bad1cd76537ee8297c36415
SHA512 430067599e8f295858a21e4d7ac5e14ea0ae41b1ae7da254440f767b728cab9a1ac15f154bdc6841c74c5d169aa96ff38136ffabd88473cdf16431a3be87c826

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 47a727f4af25d73fd184abf4625cbdd4
SHA1 2da5b0e14584cf3fb3f47f064bec64ea04d2d05c
SHA256 96f52dcbdeaece14228bde09a77313ddb6fccd639d2d1c3cadddd9305eded3c2
SHA512 52e4e9eab0b23366697d6980ccaf298f154509b60d5748bf8e29fd51df4b68a56885a2346ccdd8a931854af0c7ab388077af7a824ebc487620f0a3e650f2cf76

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 121cc42a218fe1856f3dd72720d3386e
SHA1 6a5ebba8c315f2ab12e349b2ca58008a2d4ddf25
SHA256 66174927bc4cb02b6139eb3e50b75a8e056c4682b2dbc2d8733ff7ff64b7b044
SHA512 f3ee67c55c254803b950f41beecd00587368624d0ccc8c33f24861e09fd12a1ca3d6189c7b8f168deb759b6765c865d36485470122fd05445dddfee42ca0a5fe

memory/2708-205-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2496-196-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e97a7c3986d9f31cc76cd6a2621295a5
SHA1 571bb242c362adacae47b7e2c470567db435066a
SHA256 a27ad4993442b6bb37096653af152790d7788dbefa2a32a5bfb2e3436a871caa
SHA512 6f20f703979f86abdcf8448bcddbf528812ae9c02ca70b35db4e2a468020abdda41806fce1da548acc4e3d2d966b2cd9d752d8eccab8c81fd3905965e51a96ef

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 8284f500f9614c164b79cc340c6b5091
SHA1 b1cb544115516b94a091ad7e205db61badc4d781
SHA256 37956bf11814af1c2cca2639e2b26fe31de3ce1753f3ce8255b48c1979f5c685
SHA512 66d1b9f29fe2a46cddfbdd39c5088c58aea3ad15a1d2fde0151fe877c9b0060bc07aa292ba5a40ff1d49b46071000f81ef80bc11dcee4d774f21a06f041b3ab0

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 7f158dc5b9befae7fe6b6416bb92eca3
SHA1 0ea23502d1e22c57272aa610597712b9131b77cf
SHA256 1c27a4bca469eb13bd747b79460fdea36643d8b8ba4f73daac685ff47c17e7ef
SHA512 4569974c8958ab920dfa59315cfe9972e1c99a33ffa64918e960011148df31e2bbfc302a60000b7e2b7797c7c28e376e830afcf5c047560b050be32f85c236cb

memory/780-273-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2748-306-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2748-323-0x0000000000400000-0x00000000008E2000-memory.dmp

\ProgramData\nss3.dll

MD5 ce8b54f4caac52d06e66848397699ec8
SHA1 db09a02ab5d663304175cea1c2b1efe47c7791fe
SHA256 cbd3db16e46fcb7f118b7c9f171f54edbf2bfef114ea6d01d1a2ef152ab809cb
SHA512 317d396d81fe81340096080f8653e31c49bb6757890cba62ed243162cad5b19344dc8ed733466b7073cda876df93bcdd37688289c5273b2c22000d75eb44e948

\ProgramData\mozglue.dll

MD5 b297b187364d6691433d3803f3cafec9
SHA1 e6a8126d3ad85c39a272db811592faeaf0f9d018
SHA256 089e45b33f2d753de45cd2218b38eb4a6f1b36ceece42a3f278f013bee2e12c1
SHA512 7dfc5593018f6cb91815b08f7f34834545c6b956cc579c0fad7b71a92ea4146776b46e09b41940c8eaa23c20a5500285ab0d9a16fa2e440c1de8e808f725b298

memory/780-342-0x0000000002CB0000-0x0000000002DB0000-memory.dmp

memory/780-341-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/780-343-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/3068-348-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3068-349-0x0000000000E90000-0x0000000001288000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

memory/780-355-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/3068-360-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3068-361-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9444.exe

MD5 85e6dbbacf79fd77cca43c81d7baf75a
SHA1 f9fec092f8d9ec6a7247b2b8c8de8797cabb16e7
SHA256 ee10c3061314cef86c7e9ab66b93e76216e173d94be2a0d5f0d127cb62a8567f
SHA512 8539e9e9f5acda584172400904ad0339ea1ffe8ee649a780bf4ef37e7d144440fe5ceb860f05d129aa0f926b3b7856554816e2f29a4214337c3635c24c0b3026

memory/2188-369-0x0000000002C10000-0x0000000002D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9444.exe

MD5 e1d888f2375f59648b2cd3341e3da2f1
SHA1 6895e805b3f90c29191c331dd8a57caa123a3ec6
SHA256 72e962bf981ecd0908dbeb52b59604e9b47b2582789402e7f2a2ab26f32ed016
SHA512 73f681f49bc60f709a1bf30ff517cb41f031409208ce16fb640c662bb0371071059d4b8c17fdf08e3b38de982ff8887294a93602637d2c33f939de2a0b0c180b

memory/2188-370-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/1380-381-0x0000000002820000-0x0000000002828000-memory.dmp

memory/1380-383-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1380-382-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp

memory/1380-387-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1380-388-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp

memory/1204-389-0x0000000003B90000-0x0000000003BA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 a95122c245a5f92abc38d8d9ad2c62d6
SHA1 be0f68d8b1e4d7fd8dee3a1a4d0ff836f6cab054
SHA256 f703089ab9802b9257395c5e647110fa2d28d1a89f36f357c4c663829ef8d06c
SHA512 6e06dec365441f4d2103caff7e2d5faf690271c0bd7ccf26d175dd06d667bc21b49a6887eff99f313c481af431272b9a74b97ae35c663ee58089d8968d430709

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 112fe10d876b2fa8e35808efd440a9c4
SHA1 c0363a1baf64438fc197d986ded51c3e486f8d0d
SHA256 8e7ac00831bb97d33646aa94a4b983d69690e71b0271abb64fe42466f5f8666f
SHA512 af790de15c59f81eed564c842d95859e88f9d7b4f87d28a6256982621da414f519c11aa9dfd3a3256bf85711ed9024ee1af2a1acdc0fb609e2f76820b907add4

memory/2652-402-0x0000000019F80000-0x000000001A262000-memory.dmp

memory/2652-403-0x0000000000950000-0x0000000000958000-memory.dmp

memory/780-401-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/2652-404-0x000007FEF4D60000-0x000007FEF56FD000-memory.dmp

memory/2652-407-0x000007FEF4D60000-0x000007FEF56FD000-memory.dmp

memory/2652-414-0x000007FEF4D60000-0x000007FEF56FD000-memory.dmp

memory/1684-420-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/1684-427-0x0000000002B90000-0x0000000002CAB000-memory.dmp

memory/2964-430-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2500-435-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2500-439-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2860-443-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2860-446-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2860-449-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2860-448-0x0000000000130000-0x0000000000150000-memory.dmp

memory/2860-454-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2860-455-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2860-453-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 be58489a859dc6835482eaa4fc75fc23
SHA1 100bec0eff2639ef9658221fedd45d856f391572
SHA256 d2708f91832c6cdfc469c40a5b74a40d02a8c81004eec67240d6871a7fd891ee
SHA512 2eb88d9b28f0fa23e6c04e3f12104b56701cc82bc653c7bb758cd288abaeb4346d0ff8550894d0c9f24c9b8edd2178b60be2e8678735395056b1e47f758be0cc

memory/2860-447-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2860-445-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2860-444-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\c6e7c00f-ed4f-4baf-a3f2-09f2ad2653ec\ABF9.exe

MD5 d81b4ed00414d8803356564f7a500c37
SHA1 e3bc12387e639178e8afb2e23512e28032ce0553
SHA256 46e62bcc5a0487ce96bec3e4d1e633f0111d1a25484aa8e6db8f27d910630366
SHA512 2b008f305fd512d19eaf96ea6bffaa58fb650acdd74c7a506a39d1305152ca80654caa37f81c7d1a72eb02a1fddf45c2fc677d7b85093c3b2740a6aa302e3898

memory/2860-442-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 7ba8b8ecc9f145a3ed879b3996a23e50
SHA1 676cc0d7bf75dd0a471b1c27bfdfbf70de762e78
SHA256 cd09cfcc788fd13be9685ab6c3b0fa30467e02b22af04b93e2c29c1461d97101
SHA512 e53440676da6511bc9926512e4b5909266745b1132f20f0a8b72c5030b1232cacddb1e2749677a41dd690eb6e77166fbfbd6e40fd0f140f4749911a43e0644ef

\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 1d79fc3dbf4081ab4e8496eff92940c7
SHA1 163a7ddf25106486a5af31a33d88896764f5ca67
SHA256 aa11ab69d81380cf099ca82c38f256cea4783815051a8658688125d5b4ce357d
SHA512 68d06110e5001f59b2298cd92fd66b97944e1701900b7e2bb339137f91b5a9de8b6ffda73b593c3c1582a437f66fa53e8742b9f0686579af312044582124cea7

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 0961a97198225171633a1965477da7a7
SHA1 4fe3902cc0c14bdab03479e088bc5d7e1572c98e
SHA256 aee950403e8b654b56d88c46e83af23f46324a2ec61548d7ad0068bd6987e490
SHA512 2b0a0edc56ed2479b57db95a4ddbf73b07c67449cafab729e8eae3d496b83392852aa2e15d87715bfe390bd65cb85f03353b3bd7cba47c2cf2a83c50017271ed

memory/700-489-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1516-481-0x0000000000320000-0x00000000003B2000-memory.dmp

memory/2964-480-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95bbbb086fbbfad82d2a99b5e158fa4e
SHA1 06a5d1f942e5c8149bc48cd36a0ca7f89f25ec22
SHA256 fa70f426af201cf8ed4e0034698eeef464705365167fbb695137d98549b1c0f8
SHA512 365ffe228aa49395abcba7df61e405add4eb97fa55ce4b1e0423e118c8272642dfc77b838735172e66d652d750d5b727df39e7ae6057e497db79dce06fdcbe4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 efa4b88e2d59d3346fa831f27046768f
SHA1 112077d5657b43f8db821e9d79b69649a5d236e9
SHA256 e98284629449afe65f682f73f6d1e6d78df677b8b9afeb8d4ad00317c1eee71d
SHA512 261ffe5e7febadf6476ba03e3a1076aebd425619176518419a7f110f6decc16d083d19fa7c98710d713542846fd0b0251ac5bf16e0ae7fce8a9ee234a89b775d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e24110bf91fff0e98fd55693d18aaa18
SHA1 c677f46891d4bd1c5c71474aa5dbf190d8f333a8
SHA256 5b950588d174b6c6519f8c741f0448a65e2b02d6f710e626f6c5ecb7bac9a285
SHA512 e8d9f2fd235045c19866a4d7e8e26c232ac4c908e763e39c31607c9e484b4a7b90c099ef488dfb4a988a7bdc1b36002d208a27bfa647da30808104c5750525f2

\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 dbcbf2340a5a06d5592f2c4463357152
SHA1 d6d5b7f58079362a544bc5bdfe315445aee5cf37
SHA256 355b575898ea3359fba4d6ea4fb13e2671614adda6f773f7cae3d68319e9a777
SHA512 baed06c6a6b48543ebf2392bbaa078f7c0d05f06267fb5168456789088f38bc875d78843a28c6e1f500901ce00b9ee48a0cbdd10d6c7bc9976cf678950dc8813

\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 5959cf1ae32157ab593daad91d71a680
SHA1 dc18d22c57c670051b1f2259bd12ede0bad9574b
SHA256 4dcc0cc6714ce63e3551ad945f90ee481b6a01686343a171872404c9c3046621
SHA512 cae7f06bc9e1f1c1c32c7e846060a86b45ffee7da565e44df5f118a32b7f68c22d5d960342901988bd972fb10fbfa971a5545c9c33cde482a13527285e05d267

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 f4ae4562d3de2f92238a5d2865546f51
SHA1 e7e6011e25412f5d94c0be9d9a2acd873070584b
SHA256 ac74a7d33bc996de8b1b167b7fb2cf55dbccfa737b8f1b2ae0c2fd46757345c0
SHA512 8dfd8fefd767ddde14e515e2a1f80d8acccf611468a5ea0475b5d6550ec339ff95f14d48509219703ccec635e948553b5265a547b962ca4a979d73d0a6df935f

memory/2860-440-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2500-436-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2500-434-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2500-433-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2500-432-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2860-506-0x00000000002B0000-0x00000000002D0000-memory.dmp

memory/2964-431-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 b83ab6b45eb5004a57423f7efbf9b3d9
SHA1 44b7ad0bc95db9e48917232f4ecf3ff23e24b1f0
SHA256 f975e603aaf1f78aeb8e4fadf9b65982b094997e072ba9aee52017f7623c7ffb
SHA512 d3c7934f606e2091e21b50908584aa2d13e9564ff1051237234e0fe618a04a1bcac64a1fb9b4039e0c0f3fb3834f76805c740d134692160348196743abd46613

memory/1684-426-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2964-425-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2964-423-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 1011556277271602ab033e2770184edd
SHA1 e9b81060dab5aa379acd4ff20e4a556c205d807e
SHA256 54de5992dbf4f14ca9a38c7dd65fc48f35fb4b526a06f6f95f6bd8b853581ec1
SHA512 3dab8e653a5e1f2ebaba29f553baf6595dc35688b3444274120e9ae5dca9f0adb3f19c9adb47ba31e06d5d238f0413458b23ac15b73bc7d6c551e3170a1ddf70

\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 543f79a517667eaa88d362e1efa3109e
SHA1 925199e78468469692d1d60681006f8d5e1ab5b5
SHA256 286b5901be69f92fd245f38e79098e7faf0ad5b6dc5458362206b3986e434093
SHA512 c80d44b9b1f207a2f7423b2e5edc9983648c4157df0e11b5f40c7e335fff0faa10c7f0795f998b408c9adfe0053f84cfd2445a6715a7758039bb03844c9478d1

C:\Users\Admin\AppData\Local\Temp\BA0E.exe

MD5 d88fc27afb5597607541f62fa87ac886
SHA1 a4c681c7ba469678caabcc955fecaebeeb2d8d97
SHA256 8582cc8b6ffa78a02a15b1b417526769065ebfb20b1e344c41bb2ca63356b375
SHA512 1b68ccaad954f2e3616892a1c1c2f2a7258ed6c9e727fe01f582b1c79c79db149f83faad419e567de179f1b664c24eb63e391883f375bcc8b3af38d0a953392b

C:\Users\Admin\AppData\Local\Temp\BA0E.exe

MD5 d9906fde00e2ca9a4cbeeabea0c2ba30
SHA1 3610288d2027518b030f5f2d9f4cc0dded32cf62
SHA256 27cc8186ef06302ed8b2a4d6ad350ae4486b5427a091bd03388cfdea0f89c9c6
SHA512 d5e690a23d762828a903a0b7b26f45010245ff2beb2a203e1f972ec003341bb4ac20e43ef5f39b8f59e2440f949a9a096a4e9a7888a4356930cd09191d1f7833

memory/1684-523-0x0000000000300000-0x0000000000381000-memory.dmp

memory/1684-524-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1684-526-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1684-522-0x0000000000530000-0x0000000000630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 2d70d9b20fdef71240d2a1038ee647ad
SHA1 7697b3e6913d0c9b9b5fb4c68778d123cbaa10a6
SHA256 62dcc2d7f0fd960e5d52891e91c2e00ecbaf678312f4340d01e79f3f6f8ed2cb
SHA512 05c8a170c7bc6a7d43d8d74bc84b60c13264424f5a642295156260470e2d62bd729c1ec2a79f78df9ec560669db560f29e88d3b43ed7914bd30b8f8e33bf0071

C:\Users\Admin\AppData\Local\Temp\ABF9.exe

MD5 e7a6fcfbaad7673b1973c9f7e3e9bb14
SHA1 9b2545addb595d8e4d3e93e9320b833feb85374b
SHA256 6754321749b2dcb65da4da7bac0bfe4ea2229c83b89e35c7c447fb362a40c3f4
SHA512 83d6be03403ce2e4ebe985fd52420eb1d7552c31841ee8373411b55e00391562c52b80c3a3e8c460df6bc92cb376354c6c254c7d3b001ab586e6f9c6e88d6822

memory/2652-408-0x0000000001424000-0x0000000001427000-memory.dmp

memory/2652-406-0x000000000142B000-0x0000000001492000-memory.dmp

memory/2652-405-0x0000000001420000-0x00000000014A0000-memory.dmp

\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 e9bb19eeea62cc0f3ff752d5e9763be1
SHA1 6b17d8be8d8739f0455ea02188a433fd68238cf4
SHA256 7a5344eb8cf0fc5aa3cab909af3489492885532ca0e0cbf0c55120da0eb449af
SHA512 35d270b5cda712b27058a3b080e88dfe45e323485ec479a712389be8cef6974a5533e86191729db5c3f79e1b8e7a79d7a772ac1ee3d1cc544ecb0782582fdc1f

\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 e19f020a2cc69156bed0381e1b40385c
SHA1 00b85a086b162b8644a1cb69e4ca70dfdd308b72
SHA256 a7aa4a860f4ee75c244b2fc345c2e8d01df60224506b22792f609b63258c5270
SHA512 6955b893c814845fdb5a89aadacb838def9456b8a54e14698c3d5f73df73e7faf8c4f236d5601438773b46612e13f7eb81b23d6086db1ef1381aeca59661ea1d

memory/2188-390-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/1380-386-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1380-385-0x0000000002850000-0x00000000028D0000-memory.dmp

memory/1380-384-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp

memory/1380-380-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

memory/2748-379-0x0000000000400000-0x00000000008E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 460c68a5caf5bf2a58f760f7bb03001f
SHA1 251863e2e4ccb114c8f8a4d81c73f6b3b2734fba
SHA256 b5e77785ee4c64abaa836307e1944243ae1b963044cbe7d7446df82eb9fa5c32
SHA512 1c5dbd3e50b7a8f7ad2112c1dbccac11210a9ee722df9c0e4020ab57b94e3621d90713c9a7de177f30dbe1a2a6055ab55db19cca7829d292354fbe6f3284f9c5

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2d642b7c4fa3cb8853bd3baa580532f
SHA1 055bea5c9b366d8ed7b965fc8b848a7c76116444
SHA256 ce1f7c4b5e0934eceb746999611bb029237b4c6516c7b3852bde2956c86e1d81
SHA512 21d1150fe48a449b138783f49bf11aa7e96138c51c918ff2eeae797897a22d6873b9000c3b79f3a78984717784b0b5b91784ec8190ea806223bcb052e5b9bd69

C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe

MD5 13d69f34800125487c3a12bdba22f188
SHA1 f281d9d54b401e00d788c223137292f8b83bc9ef
SHA256 eed40d0e6793c242dd36095ec2e709218cf2d547d5ce9dfe847a703a1d418181
SHA512 e42522f634997db2727b1d172a6e29301fb9d59250861ae43e917a5d327a9d8bac2ceb77d7b41b1752a38287c43f43f2af2500ca2d7e56f38a55b024de25ffbe

memory/2700-548-0x0000000000570000-0x0000000000670000-memory.dmp

memory/2700-550-0x0000000000240000-0x000000000026C000-memory.dmp

C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe

MD5 a9c9f737f06317c1520b9172dfe428e8
SHA1 840b9be8a7c0e2e6765957f6d25ad8eb083fc3d8
SHA256 fdbf91bc6bd988ee4653383a4f77565a4e7262e4ebf239b9fb730c2596075bf4
SHA512 671a5fccc45769f5fbff66d5aeb722d22bb789578a2461091451d2ebcc2d5d0ad0a4da4d7af8d692ee9ec97756b3d5e4a6d1b47c127b2b1f60b922ac77cc4485

memory/1732-582-0x0000000000400000-0x000000000063F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 0661c679ee1b5b440d7ce3f464c94c40
SHA1 f7c003fe03e14f96f5725aede051fac7e7c95a87
SHA256 669abf5f0f3aafdad4d026576ed7b96395c716ed0726a3e8e6341e90a38bb52d
SHA512 e9d5461cc7e7eddd55763e0fc07f5c18f964191c84ef238be395926b4389335089bea1de20218dd4eda0fb47f5475da13545ded824baf57ce136102e80e846ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f53a3cc0d6346f8595013293785674e
SHA1 8f85ed92796fc20a89167aa80b5bc4a6649184b0
SHA256 5f847ba726f40a739e264356fca90f40fb51a8601185913ee7e7afa9c43f9ffa
SHA512 cadc2927374ebf1a2f7e0b333493602e08644f512740a09b275379c3ebdfc4826562424c605137b4227088ab1325ed5b2bf284b0f41c96561a6fc2ffeed88618

memory/700-681-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2860-731-0x00000000002B0000-0x00000000002D0000-memory.dmp

memory/3052-733-0x0000000000870000-0x0000000000970000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 13:39

Reported

2024-01-24 13:41

Platform

win10v2004-20231215-en

Max time kernel

71s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

DcRat

rat infostealer dcrat

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D216.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ad444082-f4b8-4a6d-992f-793edc7f4d66\\D216.exe\" --AutoStart" C:\Users\Admin\AppData\Local\Temp\D216.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\explorer.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Windows\SysWOW64\WerFault.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\timeout.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\cmd.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\explorer.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4256 set thread context of 4604 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\system32\conhost.exe
PID 4256 set thread context of 4364 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\explorer.exe
PID 2700 set thread context of 2780 N/A C:\Users\Admin\AppData\Roaming\tffiuru C:\Users\Admin\AppData\Local\Temp\D216.exe
PID 3416 set thread context of 5056 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\D216.exe
PID 1884 set thread context of 4572 N/A C:\Users\Admin\AppData\Local\Temp\F139.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D216.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D91C.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D91C.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D91C.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D91C.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D91C.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D91C.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D91C.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\tffiuru N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\tffiuru N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\tffiuru N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\timeout.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-492 = "India Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" C:\Windows\windefender.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{319BAB5D-0862-4549-BB23-7EA7CE6BBF04} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{844CA259-0887-4B53-8236-91619C6B3C43} C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tffiuru N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\timeout.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4440 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4440 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4440 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4440 wrote to memory of 1044 N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 4440 wrote to memory of 1044 N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 4440 wrote to memory of 1044 N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 4440 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 1968 N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3180 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3180 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3180 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4440 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 4440 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 4440 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 4440 wrote to memory of 2832 N/A N/A C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 3180 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
PID 3180 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
PID 3180 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
PID 1796 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3084 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3084 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3084 wrote to memory of 4492 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3084 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\WerFault.exe
PID 3084 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\WerFault.exe
PID 3084 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\WerFault.exe
PID 1968 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WerFault.exe
PID 1828 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WerFault.exe
PID 2416 wrote to memory of 4660 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\system32\netsh.exe
PID 2416 wrote to memory of 4660 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\system32\netsh.exe
PID 1828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1828 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\timeout.exe
PID 1828 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\timeout.exe
PID 1828 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\SysWOW64\timeout.exe
PID 1828 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\rss\csrss.exe
PID 1828 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\rss\csrss.exe
PID 1828 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\rss\csrss.exe
PID 992 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 4672 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2460 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 4456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 4456 N/A C:\Windows\rss\csrss.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 992 wrote to memory of 1264 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 992 wrote to memory of 1264 N/A C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
PID 3556 wrote to memory of 2704 N/A N/A C:\Windows\System32\Conhost.exe
PID 3556 wrote to memory of 2704 N/A N/A C:\Windows\System32\Conhost.exe
PID 3556 wrote to memory of 2704 N/A N/A C:\Windows\System32\Conhost.exe
PID 1864 wrote to memory of 2460 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2460 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe
PID 1864 wrote to memory of 2460 N/A C:\Windows\windefender.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 420

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1968 -ip 1968

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 1968

C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp

C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 776

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 704

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1828 -ip 1828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1828 -ip 1828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1828 -ip 1828

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 640

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\AA0B.exe

C:\Users\Admin\AppData\Local\Temp\AA0B.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Users\Admin\AppData\Local\Temp\D216.exe

C:\Users\Admin\AppData\Local\Temp\D216.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Users\Admin\AppData\Local\Temp\D216.exe

C:\Users\Admin\AppData\Local\Temp\D216.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\ad444082-f4b8-4a6d-992f-793edc7f4d66" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Users\Admin\AppData\Local\Temp\D216.exe

"C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\D216.exe

"C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5056 -ip 5056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 568

C:\Users\Admin\AppData\Local\Temp\D91C.exe

C:\Users\Admin\AppData\Local\Temp\D91C.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1056

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4128 -ip 4128

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2372

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Users\Admin\AppData\Roaming\tffiuru

C:\Users\Admin\AppData\Roaming\tffiuru

C:\Users\Admin\AppData\Local\Temp\F139.exe

C:\Users\Admin\AppData\Local\Temp\F139.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1128

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3328 -s 6064

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 572 -p 4088 -ip 4088

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1160

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1088

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 1bc4d571-1e5e-4b59-aaee-e325f1798a29.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 17.118.160.158.in-addr.arpa udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 server9.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 3.33.249.248:3478 stun.sipgate.net udp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp
PA 190.218.35.224:80 brusuax.com tcp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
US 52.165.164.15:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
RU 82.147.84.194:80 tcp
DE 146.0.41.68:80 tcp
US 188.114.97.2:443 tcp
US 8.8.8.8:53 racerecessionrestrai.site udp
US 188.114.96.2:443 racerecessionrestrai.site tcp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp
US 8.8.8.8:53 cooperatecliqueobstac.site udp
US 104.21.9.132:443 cooperatecliqueobstac.site tcp
US 8.8.8.8:53 vesselspeedcrosswakew.site udp
US 172.67.222.78:443 vesselspeedcrosswakew.site tcp
US 8.8.8.8:53 132.9.21.104.in-addr.arpa udp
US 8.8.8.8:53 78.222.67.172.in-addr.arpa udp
US 8.8.8.8:53 carvewomanflavourwop.site udp
US 172.67.129.86:443 carvewomanflavourwop.site tcp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
US 8.8.8.8:53 86.129.67.172.in-addr.arpa udp
US 8.8.8.8:53 167.133.38.194.in-addr.arpa udp
US 8.8.8.8:53 communicationinchoicer.site udp
US 172.67.216.203:443 communicationinchoicer.site tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
NL 45.15.156.60:12050 tcp
US 104.21.23.184:443 tcp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
DE 51.195.43.17:10943 tcp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 87.248.205.0:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.20.67.143:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 188.114.97.2:443 tcp
US 8.8.8.8:53 udp
N/A 216.58.204.67:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 188.114.96.2:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.21.93.182:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 server9.thestatsfiles.ru tcp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

memory/4440-0-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/4440-1-0x0000000000B70000-0x00000000014B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 c44759d4de6ae6fb0e8a9f97cbc77c76
SHA1 04d35db6adb36d4de9238c8742a682442bb5c5d8
SHA256 956a64a630a21f51e799fb156d84d220c3f57b80cf574dce9f071d6cf3831e8f
SHA512 587b629eaad1b5a3a9da6e0d054fccbf26086631a822170ea118db31408ee4b0e6f2d64366f712be0c451ca54f28988b15f218c46b59d0d2b4bdcb60f0aa6c1d

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 be2b24cc36d5af4fa30b19a7d2c123a2
SHA1 311e1ee5bedb11eb422e40fbf2117344eec92c67
SHA256 42a9cb5e78a790e8cd6d313d034d5993702adc8524193190fb4d2aac840a6078
SHA512 04bf48606cad695649bfe7b0d0c609befe86ed89a71d265f3f7107ff5dd870f8eb71510a9ed52b3e536dee86df3434bcc4d8d60bcc0ed5c134a9c44b4a8ac0ed

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1548210955eb85eb6ab7c0acbb0e9dc5
SHA1 7d4ca037aabef29ae050901647035b8d7dcd831c
SHA256 d70e2faad95031607770eb2ce3a1e1550a824f36553ac0885b90bd014f6cba39
SHA512 b9c70138d92d39f34cf53ad3d6d76b7cd240e8ba0ea96845bc03b255a726aea2696e98a53369eca9ddfb6fca6162b4fe0dd5dd58b2197278055d65cf9078d3f7

C:\Users\Admin\AppData\Local\Temp\nsk46ED.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 8e9e53632a68149939724287033caf49
SHA1 fe8a8bed676a9cd446630410cd2cc5c869366472
SHA256 a2d6c0f818e1e3d4ca6ed17c7227cef2c6c0ae394f12fcd29e2d2543a7fc8eb6
SHA512 6c3ce0e26513a6c1e003708728036c8b87e0049e99c3f444e2c43d825cbef8c2dab5a4081f0723a23a82d5cdd4d74a6e5bcfd51e157593831733c39f58e3f904

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 8558ffd304c5b84d1d5d8ac83e3000d5
SHA1 6e73dc9a72ae2e46a735907f1f7cca5e5dea810e
SHA256 b1a2eadddffe5f5e209e791cf623ba551ae90e8611c8e8491e5b1a82d80ba226
SHA512 b499f68f9e1e7ef59ef3093fdbbc210c616cc4e638775ad57d884a64cfca8a2e52bb78e2b28e95a273ec2b88bcdde5fb139687d73cecc6c0963cbdb6852a25b6

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 416c86010c09fe4b9a27d9254e211a1f
SHA1 ba372d9ad6715848c1cf7692ff1236c212f847ae
SHA256 22085ff3e536acded0f65127d10233a67a17452b49ce05b30d9e50b77d415ff5
SHA512 d26696d353be55d254e2efbf0d8741c9df967c2c42cc4d44b518205685d295747524ffc8ebd9dc46d99965bda6e5d48e209b90c62576398d34694e0ad67130ff

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 b2024a23ab1c9252e4a8f7025e153bf4
SHA1 018a4132ff1f38b25f2760f786393248ac1c6b06
SHA256 315720e074330db5058b9796ca0218e87ca1807f1640601f1dbd6562d5afd856
SHA512 dd6e590cd908c7c1934436247f97d41325b7efd8fa696e6926d909a183966c225e602664a0c2401b226949d05fe5610894bc5d4f604efdcf2e9354d544ffbda1

memory/1968-60-0x00000000010E0000-0x00000000014DC000-memory.dmp

memory/1968-62-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/4440-61-0x00000000746B0000-0x0000000074E60000-memory.dmp

memory/1968-63-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 027683e722bab2e4377ec452629ad74d
SHA1 f59081a2f0fbcd58735c514df074f26cbd2ce014
SHA256 21c818b871eadd2c81f307df8f35802b2acdba13958153790e5b1d6bbd563c0c
SHA512 ead624dfc963f4152970102903b7f7482ba833dc4d1241fce6ee246e1c95de9014fddc0c0b9a08c799ac701f69a65ef1540c2fe32682003e73fa7db9915ad79f

memory/1796-56-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/2112-46-0x00007FF7E38A0000-0x00007FF7E38F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 a6fef0562abecca0d7b3567825ae5b99
SHA1 2fa30153197cf09fd9bc36a26c062ee69644be2d
SHA256 dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b
SHA512 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3d497a2919d2e53ee408ac5984676eed
SHA1 51f93a7222ef01d9c808a1e04110a2a8ad02cc2f
SHA256 381ba45ff1a4be6e33a7e4a4bae61e8e9685b02e8079a0766cf674306618f7d2
SHA512 3606dd2d887c8934e1d90a544af5a2b682453e57080cf1e0cec2eda0f893c9756650cd5d07fba523e21c8e260a948469fa40058613180961321b8b60298604d5

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 5cac8c08924e6805b8b976e1a6c1ddd3
SHA1 4ba4d400cab5ccfe4efc2d99789270733cbd078d
SHA256 a49338a38a7702ad6cef0019f1795965088b824dfdafaf87985bd6cb4659d4a2
SHA512 b2e807627f4f9fd976a21985408f3b9e4c21dbd0168310fad35afed09f578fd03e5deb72618bdf77058ab1bb6332468bc3beb9530d9b91bd3558caeb6fb2eec9

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0ff69fb6975af6a20508a93692b9d35c
SHA1 42bcbb527ab8f847219c1d90044c6e75786c5b1e
SHA256 b0685c3314ab8cc0fece3351b2348d705726479af5855d71bf37a31116481b1b
SHA512 eaf82efa815c165187c1e01fd2a9a34219de6cefeab8a93876fbce5ffbc96b9e44e71d6543c82026e79ea575468f65b01916a1b1235b9313c470b4fbc612f9bd

C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp

MD5 b0f1006801c660b9a1325c74a4fd5a66
SHA1 fcc11968935031574d7608510843c304906b3d4e
SHA256 efcb219a54fa8709e0beec5ec8d3d996fa99bc00015b1adb5a0187e2ef941231
SHA512 d616e4106c0529fc17d4fbec3966a46a40d2454c6a1e7a8e53158fcacf542a44785f36bfd0f6d4aebbd4f82abe1330739e3763d62b885e107c0a9463d291218e

C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp

MD5 c00e84215fabb2bdbd401b84ee2ca5ca
SHA1 b96cae5127b50a2cb411df6d01ba21e4e0db44dc
SHA256 5c9fe2ee1ff6e0c06eaf17ad7dd2ad1a34d6f91f0d3c6b89d3f2bdb64fe25be8
SHA512 f76555b7188799ea8bde8e6e24ff1d8130ea9d57758f5e0d3ba52d9e9192d32a91a79e625c8491bdd2bfeb10ef53d9898d75cd7246dadcefa2d4c0100a5f482f

memory/4128-77-0x0000000002C10000-0x0000000002D10000-memory.dmp

memory/4128-78-0x0000000002D50000-0x0000000002D6C000-memory.dmp

memory/4128-84-0x0000000000400000-0x0000000002B13000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/1044-25-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3728-86-0x0000000002FE0000-0x0000000003016000-memory.dmp

memory/3728-90-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3728-91-0x00000000056F0000-0x0000000005712000-memory.dmp

memory/3728-89-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3728-98-0x0000000005F30000-0x0000000005F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmgfnya2.dk1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3728-103-0x00000000060F0000-0x0000000006444000-memory.dmp

memory/3728-92-0x0000000005EC0000-0x0000000005F26000-memory.dmp

memory/3728-88-0x00000000057E0000-0x0000000005E08000-memory.dmp

memory/3728-87-0x0000000073D60000-0x0000000074510000-memory.dmp

memory/3728-105-0x00000000065E0000-0x000000000662C000-memory.dmp

memory/3728-104-0x00000000065C0000-0x00000000065DE000-memory.dmp

memory/1044-24-0x00000000004D0000-0x00000000004DB000-memory.dmp

memory/1044-23-0x00000000004E0000-0x00000000005E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 a404b4ae2513376edeecb59baf5dbedc
SHA1 afe29cbc40a9699eda7b325db21a7b04e8f25b08
SHA256 067d015fdad95156df5b6d9fb0a61c2b3eca6a4984c05d3dc167dc2a1b438f3a
SHA512 744775d54bc9a34fb543934cf45c9f71560b78fe12c4dbb2460a70c22eaffebf2f1308f2a64c767f92a1e402c01dd5332347a736335c45083b0501dab3c89274

memory/3728-106-0x0000000006B20000-0x0000000006B64000-memory.dmp

memory/3728-107-0x00000000076C0000-0x0000000007736000-memory.dmp

memory/3728-109-0x0000000007960000-0x000000000797A000-memory.dmp

memory/3728-108-0x0000000007FC0000-0x000000000863A000-memory.dmp

memory/3728-112-0x0000000071530000-0x000000007157C000-memory.dmp

memory/1044-124-0x00000000004E0000-0x00000000005E0000-memory.dmp

memory/3728-127-0x0000000007C70000-0x0000000007C7A000-memory.dmp

memory/3728-126-0x0000000002F50000-0x0000000002F60000-memory.dmp

memory/3728-125-0x0000000007B80000-0x0000000007C23000-memory.dmp

memory/3728-123-0x0000000007B60000-0x0000000007B7E000-memory.dmp

memory/3556-128-0x0000000002EA0000-0x0000000002EB6000-memory.dmp

memory/1044-129-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3728-132-0x0000000007D80000-0x0000000007E16000-memory.dmp

memory/3728-133-0x0000000007C80000-0x0000000007C91000-memory.dmp

memory/3728-113-0x0000000070CB0000-0x0000000071004000-memory.dmp

memory/3728-111-0x0000000007B20000-0x0000000007B52000-memory.dmp

memory/3728-110-0x000000007F4C0000-0x000000007F4D0000-memory.dmp

memory/3728-134-0x0000000007CC0000-0x0000000007CCE000-memory.dmp

memory/3728-136-0x0000000007D30000-0x0000000007D4A000-memory.dmp

memory/3728-137-0x0000000007D20000-0x0000000007D28000-memory.dmp

memory/3728-135-0x0000000007CE0000-0x0000000007CF4000-memory.dmp

memory/3728-140-0x0000000073D60000-0x0000000074510000-memory.dmp

memory/1968-142-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1828-145-0x0000000001160000-0x000000000155B000-memory.dmp

memory/1828-147-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3172-150-0x0000000002160000-0x0000000002170000-memory.dmp

memory/3172-149-0x0000000002160000-0x0000000002170000-memory.dmp

memory/3172-148-0x0000000073CD0000-0x0000000074480000-memory.dmp

memory/3172-160-0x0000000005AE0000-0x0000000005B2C000-memory.dmp

memory/1796-146-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/1968-144-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/4128-161-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2b112a6d732f1262b4a2ef16e776d687
SHA1 300fca0505089ccaa5f54a46926a1878c2c416cc
SHA256 903e2c86b85620c74466d1725c8aae91d010cd2808e79c88f8b4e7955ea92834
SHA512 822e34171be8967f91e1e81ba81d684156e1d98fedc338b5962316177e68cfb1c81076a06e221ef6071d47090949556604faa8997574e24d9633773301b5e46e

memory/3172-183-0x0000000071290000-0x00000000712DC000-memory.dmp

memory/3172-184-0x0000000070CB0000-0x0000000071004000-memory.dmp

memory/4128-194-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/4128-197-0x0000000002C10000-0x0000000002D10000-memory.dmp

memory/3172-198-0x0000000002160000-0x0000000002170000-memory.dmp

memory/3172-196-0x0000000002160000-0x0000000002170000-memory.dmp

memory/3172-210-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

memory/3172-195-0x000000007F080000-0x000000007F090000-memory.dmp

memory/3172-217-0x0000000006FF0000-0x0000000007004000-memory.dmp

memory/3172-220-0x0000000073CD0000-0x0000000074480000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/2888-225-0x0000000073CD0000-0x0000000074480000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a07e733175a0afc9581f7d740a49d472
SHA1 029bb70c9aba25e40bed592a72dcadb6b4b87363
SHA256 d0176ded22eb1d335e53629cb85c2687d9749e115d43f3d82a1206b57202d9bd
SHA512 34ab6de145850403753e7d14bdfa40072982ddbaba3d88e07cdd9a59d16afc42a33468124049701787f5969d561017f5128d6d9a81a6f9dabcc2f24497954dbb

memory/1796-241-0x0000000000400000-0x00000000008E2000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 96afd9dfaf2c7ff2a178b7f346e4bb4a
SHA1 197e28f1aaffd4be5270db8046b74f9674748d44
SHA256 c1e7795b77cc1504d75f8a87afb4a96f65b41257bfab2e3332ae491f3436b0b6
SHA512 526aa21c79e05374bdb2aa5681773b646dc90d2ba341f9aebafa254edd43b6bcdd6ff5611e0d5d22e955e5937aba059ee551169774ba5cb5584b3033dd4ac18d

memory/1828-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 029952378098bebba76cbacd56ae5536
SHA1 69ce96a7f4e053a118062ca9b57f216b2dc7e49c
SHA256 953f32f2f5a0d7d054f28a1bca90de11e17976a1fc5980651bc6b895205422c1
SHA512 64bd6611be621435bb49cdce72aa389cabeef9aad43c5446440c316944669e499225fbd87fa21a79cb9c872bc420f0d427afe3536dc6c68340e79569b3c8a2b8

C:\Windows\rss\csrss.exe

MD5 e3c0646fe55c80b142f372d8b2e8f4b4
SHA1 a8fb3a88eda4804a38fad9e65e58efc8c7bb5c10
SHA256 5e3a65bbfa34abc775ebe8edb9006e7406dd1651fe01b6671f890d31b2bfc0ac
SHA512 1800d8c8fbd3b1012f65bbb80551e4ce46d50fb08362691ad8e37cd9761b23bd60754f8cd15439006eac06f30df1e7a668bbc9db4d24de2edb3951f2ba8507ed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3eae62377debb55af2b61f73e1598110
SHA1 162868a11831c00d2e968dcb9e4f89fb365d830e
SHA256 7fda39192a02e370770edc1ce889f6459fc0f7179a4f4c80139738e2e635cda0
SHA512 1bfca5a95dc586b8166fcd706d0024d7627a5104278d571c9d28fad40dbb5c66014a4d23524dea3fbae20646774e4d48bd797ceffaa8b0ce0c967fcd8aaf3aa7

memory/4128-293-0x0000000000400000-0x0000000002B13000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3e5ebd1220679a9073557b5eac36f27b
SHA1 2d6f411e8c5a4522b2e8a98af21855e7d782df84
SHA256 d77bd28955b5bd3255713b54ba0505c96e4d604758f816608ba9924ca19da0d1
SHA512 0846e2e66f5696a25af6920aa626c760353669fc976f7c9bba2bbd8d963066e263a5e6235ba301f09aaee67c977b6d350cba7c086790ac7bd02f1a0f108bc5a0

C:\ProgramData\mozglue.dll

MD5 dc10598651f34fa66cc960426b75addf
SHA1 34185a08319a9e85a27b1049ed2e180eea3dc1fa
SHA256 4f81550500e70bbc82e159ae30f6c36cdf77c8fce8798c2115d2f1009c8c728b
SHA512 957d8fc399e2a80e8543948512c4bdcb2bbb8ad9da8db48caeb2795da0d7301dd5e89565b1fb9ab815f999202dcf96cd42679ba835ef7407992676cec74b0aec

C:\ProgramData\mozglue.dll

MD5 df76ce8699fed75b7a3426eebf580127
SHA1 290214b2cfd15afc810f4cd55c87f885033702dd
SHA256 1681e9a60e272057441a8546fc41a0bc14a877fb011d1d1ebf9a1b6afc68369b
SHA512 71d34e5e4b11c9c5b93b62eac084cd10c1782b7bc3b595c3a2fb79d0c9fa2d3801ccc0e6f2728a3252502f96de8fcb7870e9a6768270e1c65c6c008ba797b6a3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a77b47df0bf41b18c94d22142f09a768
SHA1 82eb0e395a656de01f538469f68ffc71b50d8809
SHA256 d95c75ffc851636f1dcbf8fd0b4bb7c49fc0e4204063b91727f8ad2a6586faa6
SHA512 341ee879d0035a399e364addd96832e6a93f874a715d9713339d7196c298d2d31b10b62b1b9c763ec17385a676cb8486470039f7fabdb8cf8ec0b4c04c4f34c2

C:\ProgramData\nss3.dll

MD5 5897931be7c71ddc241122cd20518654
SHA1 e3a5456f9c933aa8979b829681adfb4d4eedc016
SHA256 ee3de93e66cb39c0ccc31fb9692588cc8d7a9b2124e2899a832fb428002bf3f9
SHA512 1d742a2b15f226cf06802978652f0da6a96a0b3dae99d0485c57bb82387e62e244d9129a03a22d421c9966a78440efbbc4401c3334f399cd94b83810188de316

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 739bcb3bf50d886d959f622d46ba495d
SHA1 d177cf5fc654a0707aebf146883d7ff874b20258
SHA256 6fdc820c2abb1082c4d05c0e27e2c4c6ec7ac7c30ff703562ea749e0c4b91690
SHA512 62657ddeadee9786ecdb6c045587affcb09d3512b6c96670bdf9b084740b50abf4bae40f79a5a1d3aa988e90401a86923868d14ff7b487d585ad51f3c92f95a9

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 2fc16440056599d85ef09e0ee6ff8a47
SHA1 0e2cfcf11cbc2e98199ffe7be977d6e52dfbf7b9
SHA256 1b1d16a935d0a1bd3359744f4eabdaf43b82404a719bacbd9066e4da8a71b409
SHA512 2a31ca4e391a6f0e2bf335c3a337e76128f4160f0d68d22b46b6e324d9fc6bd10ba5d51dec26a7b66e87978183d3f9cc137161d923454d1f18124ecbc1126753

memory/4128-419-0x0000000000400000-0x0000000002B13000-memory.dmp

memory/992-423-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AA0B.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\AA0B.exe

MD5 214239b86357459322e74fdb57ce4cce
SHA1 13295cd242eafeb39f4970918f74a046415ca581
SHA256 0a05ac5c787453db65a62ea4987fc1cb47eb386187bfb14eb3565e6a2ede4605
SHA512 3af02d1a9d31171beb23807f213d2f859404b46d6ec7d6adba0665eecfd37a4391c1f41db3ee16b76bc6ca394af9943802ffa914d9f385b654191bf2d4038f07

C:\Windows\windefender.exe

MD5 efc594d9dd5875e450e02ce537701b8b
SHA1 1aae704603c1b579106bc9540e729e3537b53c29
SHA256 770be8ecb4ea28c837a972bca2d0fdf0375f2713026f2c8a2c3d90eac7f863e9
SHA512 ce9a804e2b533fdeb60d0a4284cb17e2fe1c2f701da466059c0da6c0b559182ac394f356f1ccb9ffe6499aeb0fae0a112e1db7a120e8a25af48cef80a6557fe2

C:\Windows\windefender.exe

MD5 66f7e843bd0fee8eaab53f4ae38450f0
SHA1 e4f46ae90c18182ff51a12a0b798c89ad041a897
SHA256 8e83b652e01ad10dc021e7d2cd9a61f2254b8d9338c346c9040dbff1d4d46c2f
SHA512 951fa3fdf024cf907a28b5317761770839118c8975cea1aab1eef79aeae9f260a2cbf7bb829a5f94c5830fe9ad5fd7745fef20d7f5bcbe3338660e3000d0fdd6

memory/1864-437-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 26f07fba3fb0a7a3f50e538e5c6b078c
SHA1 ca6f14720bcf080a0784e79002b43b1aae913a0b
SHA256 84bd558c894b3849ec28a59774022e188240277ebce74824913f81a4c13cc9e6
SHA512 8bf3708a6f1eb9c2b3d55c675e92f76e8723cb9ccff2b98241e578299d970dd9219146e272e7c2f5052c1d0cf9583516af3691245b3eee689e710e8993c07a5f

memory/3556-440-0x0000000007BC0000-0x0000000007BD6000-memory.dmp

memory/2704-441-0x0000000000400000-0x0000000002B13000-memory.dmp

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 f8e493230d71938f88d66332848bb073
SHA1 d22317e61922e6207f064a8cae23709fb61ea1dd
SHA256 5a5bd560d0f7fc62141a60e124a7b8cd0130ebdcaa820fe523cd7979a2a3636f
SHA512 ce301f7eef53afa5d6ef5a9cbb602e50295b29ca9c7389aa5f49c18c5bf41577939ffdac9d6ce7b80045804d09f74efc71a2fbd35439c557182893b42db95fcc

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 0d64d3dcbc327c908a8e5d673f48d9fc
SHA1 39120b24a10e5c466f63121c7ffecec0d7d16fe0
SHA256 18b1d3b797f5d432587bf03551e84490a1619c5f8d596ecca7bdbf58af1ab1a7
SHA512 a88f591fa056c00a15c761e10ca0646facf14a7e9b6117b340c3da03aa780202e3ccd1b3da583ce0e8d656871027b7c56a8c28d2dd7cc8e73133fd6b17e486e0

memory/992-499-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4604-504-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4364-515-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-516-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-517-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-520-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-522-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-523-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-524-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-521-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-519-0x00000000017C0000-0x00000000017E0000-memory.dmp

memory/4364-518-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-514-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-513-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-512-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4604-511-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4604-508-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4604-507-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4604-505-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4604-506-0x0000000140000000-0x000000014000E000-memory.dmp

memory/4364-529-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4364-530-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D216.exe

MD5 df4153719bf93cc3ef7d3934fe75d815
SHA1 d929cacc16bfcd227c7458fd940eddcaac1553c1
SHA256 0fadd34aa822d465c602a94722aa35556f064cbb69efa44e77ebfe07e79387ca
SHA512 1f8847a341b27a79822046ebff66cab820a3ab59c76dc0548ef8b94ba2203583a6fe88dbd639e93888acfcf1e4918bf8ec7321f49e88fc2738114a17ba57dc62

memory/2780-541-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D216.exe

MD5 3d5860ff13b28a66dd4cbc3bdfa59323
SHA1 f5f60293fefc60cced423a1c61506d926f0644c2
SHA256 3836672bd9458807f12f7fcf462bf92a0b0e2c9848692b94e1c85578ff6a7296
SHA512 affd16034a94cce2c626d685273a4ecff555f384542bea7291758446e85c253d468e09d4e6395bb878a829e0c87a502db2c98a2ee72a4982300b1bf158410aa3

memory/2780-542-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2780-539-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\ad444082-f4b8-4a6d-992f-793edc7f4d66\D216.exe

MD5 09acd913007535d86da7019f1318f7c6
SHA1 86bfd0a3356ed1e5e6c1366cf2a7cd54f4ad7b73
SHA256 101deb9c762d69d4226c96ad4092ddff8fc5c54a931cebffd8814d26889e0bc7
SHA512 1ff2a39f45b50cb0123807407da021752faef8bef382d07a5c01b7483c403c28bcffbfd8d3345a2495238474a1a0cc36fc4ea1006cda2e8e06d84655dfe15d48

memory/2780-557-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D216.exe

MD5 f7b3b2856fadd7409aa8a475d7214647
SHA1 48e34f6198d8833313c86bf96b49210681f0d582
SHA256 475a5dbc82008cb8a37eb562ddc4d366bdd15aedce311f3f81dcd6a2d747f7f5
SHA512 d2d973bb1a5c2c3564e8175c4e31ddda3a706da607e2cdb26dec377aff1a10fa8998ab6a39d4b2ecc8940c1118c35d938b2d90835e8c0de25b5df456ff7e2295

C:\Users\Admin\AppData\Local\Temp\D216.exe

MD5 048c672b47545cb53cde88463cff9e8d
SHA1 a7202603189c11a7b4161f44959a260d14a802df
SHA256 cfdc20f363e5355b39e397b848359bdf2ddf679d7a0d6837b9d2ba85b42e43bd
SHA512 eba7c49471bde93b997d9a992ff72bffe66dc5e6bd6e22155e40face33b3cc869b8cc170276449a50e474ed9db87e93b76c3fe9ead91419235f077cae92d1009

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\D91C.exe

MD5 7b08adfddb5e328bb58b6959705cf679
SHA1 4fd1e84403e024a7399372a620eee253b4c8db19
SHA256 a18a0bc0ff8dc32f14b55a399ee043a223d2d4532d2404af585fa09adb046ad6
SHA512 12b593c28570e20920a67c3ec021601030d2aff295164387095afcfc620b9a1a05cd2f13d8808da0830c0cb11e06a589b8f61e1bd59f8a83da87f0434f92a162

C:\Users\Admin\AppData\Local\Temp\D91C.exe

MD5 3cee442c6f161beb2d95c3165d2df5f2
SHA1 c42c51b040553315b635bfe632d998d9ef4fc8a0
SHA256 1d84cf47490d22c25d2bd5180fa4058298cb52339aed3466f7318d2d56dbb3b1
SHA512 d8f4cdf5399acc2b00864d4466634c83507e76b914b6591e82275f46ba9fdcbf096034dbee4ac8f416ac3216c4d5937260a10cdc6f7649ec9835ab9e5af37850

C:\Users\Admin\AppData\Roaming\tffiuru

MD5 c7fbc8d52e8a443bce41c27c7f8c9d67
SHA1 44f73eb8b67d2d0413bc10d0d887d2f3430b09c2
SHA256 802849a54e006d1d46be18a9488d103b2e93ffc9f52c9338682152272420a6a7
SHA512 8d7d83fed99371939d263b85b96eb2cf7069754647fc805c1ca7c498bf73e45c32d718a90c399dcd9eb7482b60193f01d53ef4025a047ed70c72dbbd0197fcff

C:\Users\Admin\AppData\Local\Temp\F139.exe

MD5 545659831744d6fc9a9693cea0399ccf
SHA1 c6e3764cb67e4ce16a25eaffa6317ad38134b694
SHA256 c70ec3a2fb40276d83d3dddd69a7c98ff2b7cca7babb88fbc18be32656edc13d
SHA512 29ca4ba9efeec532afa0f999820c655ab6cd5de2f2d47b826d2000f6f399e307f727450af9d876585bbb723733828d252ad58d1720610921db99f70694eaa9a9

C:\Users\Admin\AppData\Local\Temp\F139.exe

MD5 b6748ff05625e9819b726e68a88a9138
SHA1 34c2a660ed51e28a5c32795bb51887c4dc875721
SHA256 e4312e8be1f69de74c32f50f340de53ee042c05b17e834bff82eecf907de6f0d
SHA512 0474ac012530069ce2be2fdc9ee851de174a7ec6a680e76b4b4a423c7ea473fdee0f184b0e190a28e9ba1e07c27f992533fe811ebedb6e19fcda4036c2e54a1d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 62876997ebe1a7782b290d3e0b42cf5e
SHA1 125b7fcdd8b115731b16c4ddc12511ba9ef07b4b
SHA256 087ab6e9ddb7c92957c39f04bd236dd4d69bc67aefeed8318ba3e3305fd80232
SHA512 aa760e4e27f58d798b025f61ccfa11fcf364fbe6a06f2e3c9b855e4ad1386334e0d23783bc980787c3c492746f307a68d7e26e49e444b45923c5a578ac4a2240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53

MD5 c2637b6719f6a23e93d0f1166d66cbf4
SHA1 c7c236c79bb4224df7ecd9742b79bdd6c0dccd96
SHA256 b0a9a7b3d509896eb2c255e94130d9fbdcf4328119d1f489b241ec9662c14e8c
SHA512 22e96f546e5c6f1c87704df88916c0657c2acb29fdc4f6877fe2558ef2417f508d869a478556d83048deb1942c4913552fc1562eccdde733e806a52b58a6de98

C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UA6WZR2N\microsoft.windows[1].xml

MD5 b97f6e2cc1520a2e8426851cb68f3b0f
SHA1 33a930fe90facb202ec3cd87ca0275af9dd20155
SHA256 a3546f0c8e475abc90346821be3c3d67f522161ea876c3d14247ba6d79a2b5aa
SHA512 9b3771942ffce17a52d4c0598bd0d4bb8f196c8731e5b129524b3d9507d411895e4c43d84479f06e5fb28c3403d6b0ec63b97f3a3cdb598873d17fd637abd06a