Analysis Overview
SHA256
9587bda655a2dc730e4bdbd7de5ab39bc37de697fe22f449a6b2f851adaedfb8
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
DcRat
Vidar
Stealc
Detect Vidar Stealer
Detected Djvu ransomware
Glupteba
Glupteba payload
SmokeLoader
xmrig
XMRig Miner payload
Modifies boot configuration data using bcdedit
Modifies Installed Components in the registry
Creates new service(s)
Downloads MZ/PE file
Possible attempt to disable PatchGuard
Stops running service(s)
Modifies Windows Firewall
Reads data files stored by FTP clients
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Modifies file permissions
UPX packed file
Enumerates connected drives
Adds Run key to start application
Checks installed software on the system
Manipulates WinMonFS driver.
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of UnmapMainImage
Checks SCSI registry key(s)
Modifies registry class
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 13:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 13:39
Reported
2024-01-24 13:41
Platform
win7-20231215-en
Max time kernel
0s
Max time network
147s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
Vidar
xmrig
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rty25.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FirstZ.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240124133917.log C:\Windows\Logs\CBS\CbsPersist_20240124133917.cab
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp
C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\9444.exe
C:\Users\Admin\AppData\Local\Temp\9444.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\c6e7c00f-ed4f-4baf-a3f2-09f2ad2653ec" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
"C:\Users\Admin\AppData\Local\Temp\ABF9.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
"C:\Users\Admin\AppData\Local\Temp\ABF9.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
C:\Users\Admin\AppData\Local\Temp\BA0E.exe
C:\Users\Admin\AppData\Local\Temp\BA0E.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe
"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B155A781-7310-456A-A176-CCDE64BB8557} S-1-5-21-3818056530-936619650-3554021955-1000:SFVRQGEO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe
"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe"
C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe
"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe"
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Users\Admin\AppData\Roaming\ggwvwue
C:\Users\Admin\AppData\Roaming\ggwvwue
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe
"C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 1444
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\explorer.exe
explorer.exe
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | 17eb924e-a215-48f2-b8bd-8a71ca2d045b.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| UZ | 195.158.3.162:80 | tcp | |
| UZ | 195.158.3.162:80 | tcp | |
| BA | 185.12.79.25:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| FI | 65.109.242.152:443 | tcp | |
| FI | 65.109.242.152:443 | tcp | |
| FI | 65.109.242.152:443 | tcp | |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | server1.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| IT | 142.251.27.127:19302 | stun2.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server1.thestatsfiles.ru | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| BG | 185.82.216.96:443 | server1.thestatsfiles.ru | tcp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| DE | 51.195.43.17:10943 | tcp | |
| FI | 65.109.242.152:443 | tcp |
Files
memory/2468-0-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2468-1-0x00000000008A0000-0x00000000011E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 340b1683c7f31eade2383e5e67c84817 |
| SHA1 | 9d73425c3db2295a0e58b41ff425041807089123 |
| SHA256 | 0a3cdce66c251198465c36986e82ca335b8e362bbbfed3007617dc752fed0d9e |
| SHA512 | cc936fa1a5b7fd12702dac490bc71fc68a25decfa73331b6c90f65d11b48c0675b560b6d45b4054fcab412b6ba6e5ff87476fc86b3da03a8cc8e26c160cf3470 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 84449910b7cb5905b82b45940b10aeab |
| SHA1 | 899243a105cc2c89e99df9b2cd049dff4b70fcb7 |
| SHA256 | 6c5b613862e68c6ee28195b8801f3cf8a632f72c52db5d5b6a320d18bd72c5d3 |
| SHA512 | afa8ac931ef55326ada993e566973d0a32c3944a23f1d11386b53423b767354b82843e492fd10b9281b4d8426d3c2b145b80709d484c949b2b9d5babf4be99d4 |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | ad9a2ed3b4b565cf5617ad703a36628b |
| SHA1 | 16fec54fb4c7c4fa8903339f334afad450471e23 |
| SHA256 | 7203aa7f200c312bc287fc5135e094d963748debaf7d647c55c4cc9620880364 |
| SHA512 | 303b718a35390dd491368a85954785227440558ca24ed401ceb6ae54a1823ddab57ac99e14213d6a672f084d869492858719735998b574d20b7e8dfc6f200a8b |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 92cff6eba0865f177bfa6ac902195968 |
| SHA1 | 3a35d48d1b19fb0bfe75841ac5df900e45b7846a |
| SHA256 | 31fe5cac6d3fdc4906490af45dcabcc3aa1c5b10f17dadd9834cc000702a8b95 |
| SHA512 | b6976e6fa9118254f0962a6c1c4bd8d5284db9f2115588dd439dc3e7e21bf232bdee1c24f10f61098de08ca26f0f5cc89fc0dc83f9db9d95d18bb4202c87a025 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4e996350914f680718c1ee7a12f3ce9f |
| SHA1 | bc4b402a91ffa70f1c3239136b87cd3184901d27 |
| SHA256 | a54eadc5b9c6e1ccb2458a68fdff9af0197194f485ed6d74c6e3d0ea6c9e2ed5 |
| SHA512 | f61313291beb384c6a7a637bf905d45c05aa54e65f6d59c73a9b4fff09f173f82804835b309c2e849645196914d8899c2fad07538ddaad2e6d13e184ce9f0636 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 7abdb5994d67737d9ca5c41a4ed9b7f9 |
| SHA1 | 6364a67d592d8e06990cfb39b1cc4d46304b5823 |
| SHA256 | bf11eb0e25c7912d7cf0d2a4934ec3c1fbfecc2a43538146b7fc37c8156688ad |
| SHA512 | 1349572772ea63a78b781998e1c47d4ff5db933ce1d084d9f8b464b989a26ea09e930e973e324e24a18e707d6b1bb29677a49f5a7c8b508cf8ba0125f62d370c |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | bff932111197ab8b9dbbeb81ff28c97b |
| SHA1 | 63a54611ffbe187b12d6dcfc2e852f0eddaa737d |
| SHA256 | a2c2f12de389a7074f3d3a8685c0da90ec9be356388e72711977929b68405bb5 |
| SHA512 | 63b638cab3d21b4bbb785ff72845daee62cca232a26989c178e65bb103fb8ebcabfb19cb21a2b348139c14e699784d5714af532383eef5866c49eaacd2a61982 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 249ff0763945579dee939de22ff50b7f |
| SHA1 | 2bbe781e94a3106d99f5c9cd96d5b59ef1cbe7a7 |
| SHA256 | a014d3ea0aae1fa9ed62d457c261246d93acdaafbf2181835f122d8e5fa19f55 |
| SHA512 | 8ae8be5410203c402a01a1c59f2a64001794c65c4b7594b54b232e544c6c8b580dac10b3190ae105bba3b89b1a0b8cb260d54b53d49883bd2165a3fb57315de2 |
memory/2496-38-0x00000000002B0000-0x00000000002BB000-memory.dmp
memory/2836-40-0x0000000001040000-0x0000000001438000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso2B75.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2468-56-0x00000000745D0000-0x0000000074CBE000-memory.dmp
memory/2836-57-0x0000000001040000-0x0000000001438000-memory.dmp
memory/2748-59-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2836-60-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2836-58-0x00000000029D0000-0x00000000032BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 94daa27bf85cfb976473a602cd0ffa69 |
| SHA1 | 3804d5b0953b8eaf2ea4c810d8a6258734b82a48 |
| SHA256 | 389a38414cfad6d35ccdbfc26ffe8ccadfbf1362329d91f1405f592a3f83004c |
| SHA512 | 6b47583566430307f7c8d044ada81e9b871f6677842dbe40336bd7642302d2c5b9958bc6d348739f7573d894e7860f4cdefb13a8194f24b5649899aaa376b50a |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e11a789fa6c6788e9ed9028f48837bf1 |
| SHA1 | 47d1ed93a094f031a201d72d84d6fb00da839823 |
| SHA256 | 43fb2abbcccafce48cdf813f92b2d399c56c179a7006a5e9fdc93084a3aedf81 |
| SHA512 | 54b949c67e4b37054effb2477b908c380c5a6d1d856a76f23ebe796326b5d5b3878bcf288553cf790821db34b3faab6a65b6835b1520c013265277b4316a48c0 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | f857cfcd04bdfdb8cb538d3a66a94f70 |
| SHA1 | aa840eb7f535eb82887e8ee9d1004c7bf5ab99cf |
| SHA256 | b392d82bc6d72b5ef2f6841c595b04c7d5a7b5a5ed0463191582c38f0c42094c |
| SHA512 | 735f66df755cd05875d0126f8bace026c25a6511a15f0f52386b8454dbbabd4cf33010606046295d16e94de0239e269a08070f25f0dc1962886b8a958d5f6ec6 |
\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | fcd52c211513be3ed5f4d1023e788220 |
| SHA1 | 4188be2261137bd25e6d083f62546906f0faa85d |
| SHA256 | 35ee19a54e2e668eb969d9b4422242dff0a6f4163d4bc1c988081699f46c9ee7 |
| SHA512 | 89fabb2cdc8eb83c3a4e239ddfb5f98041166f6deda6a44b6d900bdc537cfef03b9fde3621bee33054cc3e136791fd59b57ce8dd3789f0180e7f98f018261458 |
\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 44553a433ef17b5e38ee88f39e82b8c1 |
| SHA1 | c7fb3405b0be2b9d176e5292954f2199eb3a37d7 |
| SHA256 | 7d141c59ad9fe6d063f4c76f32e46ed55be52af197b038b0cab4dc63ba1e2e7d |
| SHA512 | 668fe8b32bd47d44a60bbb407023f0f4c35ba04a0f8ea9338dc4ea7978f4fe256bf4933dea04cdd5eb89ef4a243aff3bf5427398a38cdc8ee5fb579de31fa528 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 994fb603236c951a6f4b75c558d8bcaf |
| SHA1 | 68db6090e4258dbee0efb7c90e11394dc8eeda4c |
| SHA256 | ec5f75ea0fe94f6f157f4b2fc241f53552c594f1c9d4cd09676159ba5e902eb3 |
| SHA512 | ecee4b8b979491f8801a298376fb5cb8550ebbe35d3e2e13bd1b0ff357821aa815396cba30f2ddd0da569539cf6f617a7727028ca1035a52ea2d316b41ad4ce6 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | bdaabc7b8ec7dd7996c55c31ab251744 |
| SHA1 | 01cddc78761208d2839a0b00a49a46e928a6c1c7 |
| SHA256 | d680cabd4202dceb30daa365b0cc742e7afe89096e89e8e210267dff608d2a9f |
| SHA512 | 43f1d7082ac10901cbd9bce8d485947d8670279b1a6154e28fe76cb92a926e39461c76186123bb3fe3d3031d72f92dfbf2cf4aca0444b646696ef7c3e32b9810 |
memory/2496-39-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2496-37-0x00000000004C0000-0x00000000005C0000-memory.dmp
memory/3028-34-0x000000013FA90000-0x000000013FAE6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | a6fef0562abecca0d7b3567825ae5b99 |
| SHA1 | 2fa30153197cf09fd9bc36a26c062ee69644be2d |
| SHA256 | dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b |
| SHA512 | 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 47a1c6710f1b476047ee3baeb6e080b2 |
| SHA1 | bd8f5fa061f2579d439665c79d329d35053c9883 |
| SHA256 | 1d464103f8f2c7174d7f474f3ed6e69e3b17ae6ce541c1f98c91c092bc4a1d5d |
| SHA512 | bc7d5cd55df22e66b19f8fcde9807771bac63ce4c287e0911c4ccc1893e20fed8280642abaeb2c5ca4b9c292d668fb290d3f58ae76612138bb87025d8a0cfcf7 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a3b3151e3295321280d9ee42e33564d6 |
| SHA1 | b002f798e12048e25678e0eb238d198fa29e97db |
| SHA256 | f5a38edb6bae0ad0cef0f2fb777d89af5086b931bfe0d6eeb9ae4ac4b3023b1c |
| SHA512 | aba206036a384807f60e2c8bf0869b2e194a13d953693fbb77a1c9817a110f781922493e81a80e89b29ecdd0cd09b3a5a18c8fae31dde491016c1f4f918c0240 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 783730244f72e8fd8dc9ef24d25249e7 |
| SHA1 | e3f5fd77421c7f61df91ccc9d8153db0869b63aa |
| SHA256 | 37aebe2e8cf246f96dc8e964f5569285d517023cfe3d08f2a65d786712a63d64 |
| SHA512 | ec1475f64f60011c142955c0f9469d0840288e26331af18425a314eba1c67644886bb1beecafd3ad273e2f50dee14ecb4fbc83432d1dbebf2bbef0548bcc8236 |
C:\Users\Admin\AppData\Local\Temp\Cab3278.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
\Users\Admin\AppData\Local\Temp\nsd3065.tmp
| MD5 | 2e5f120c665d110758a26ddef60c9ed7 |
| SHA1 | b03843d0f9525fda7b3c56c362cebea30f545a51 |
| SHA256 | 45044f714a657c6a425b8f0a9dc1bae87a6cfd870a2d9df649e9b0211a62699f |
| SHA512 | 85838ced0150b578be3f6f7314df31e79c248360f494a9ccd679632750f331dcaa8b1d2289fa035a3a09e23d4ff5e812d3f53926afa78fdd6e149f6bc68bbbce |
memory/780-95-0x0000000002CB0000-0x0000000002DB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp
| MD5 | e237ea2ecb0c0cd69d6f2fa661665444 |
| SHA1 | c63496a1657625323d730d372bc9117284b9b092 |
| SHA256 | dd432ee29a73cd4c3b47a2a1dec18ea879c50747a92722e8929cd92db84e5c8d |
| SHA512 | 1b2cf3c33a52367364f0c163fd7ad9edaedd0d14e7b0aa61ee314627960ab18c869c0f52d8b350e1e272864891d352f941bfc196590d438f36bbef2b4c7d4228 |
memory/780-96-0x0000000000220000-0x000000000023C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd3065.tmp
| MD5 | 7593a2cebd47b22f874bcdaf52fac59f |
| SHA1 | 87f9f1bce33c6fc46cef0522a37f9a26516b52f2 |
| SHA256 | dc54f6dd3d51ce4437f61c6e8438ed4f9834eb1538974450edb48780c03d171a |
| SHA512 | 34d22bfaea0a66397c86656d25772895c110451603a200942eb7fc876390a05d6ee2906c0ed823f6617de66bfeef82df02adc6448a94c8e0976ddd7a81eecc6a |
\Users\Admin\AppData\Local\Temp\nsd3065.tmp
| MD5 | 4fca63a0c3775856e80ecf0db2b46861 |
| SHA1 | 58567f226cb4c8d6543e766d494af1f74a2e9920 |
| SHA256 | 5435090fc411b652a1b6657d5d960052cea068915484edb23cdc175160870a49 |
| SHA512 | 8a0248aa487c3d89cfbaaa20ed4adb79e22e6eda5c143d6912b6a4377a602441339c42d212582e224639ae05ca03a02d293e1eb8bc1d05b4501e874fa8743296 |
memory/780-97-0x0000000000400000-0x0000000002B13000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95199fa3f7b7476a5a9a769fa01eeab6 |
| SHA1 | 9e3fd44a3168e507c5dc4c368b605ddbcdb4eb52 |
| SHA256 | 941fc4b312f225332eb672f201c68273517f5d643f0671db0d76c96487fe5052 |
| SHA512 | 289f6f516c1842e15c5f6be306fcef8ef3331a51736a3f7a0d5086bf976261613dd89c196e0e6a0e63a958245830570f78275ca462d405576a53b3a0d2a6abd5 |
C:\Users\Admin\AppData\Local\Temp\Tar3642.tmp
| MD5 | cae17bc9c5d74e0e1142b20a7889efdb |
| SHA1 | cfea5f7d29a7dad0a1a25daf18a0cd4cb79cac86 |
| SHA256 | 4d74c7d252b593f92d04a5538ff5688a4ec720ab664ac723512fbcfa3f5ab691 |
| SHA512 | 42ba66aa767f8a15ce38f9e72990fe41e4fb2d7266e4334be0bcb7db7ac7eb38e7f3b424bb4fc5583197257e9fefc11ab19285f0881a054f338463fefb483dfd |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c7d23af9487f978ab0a406c240ba7805 |
| SHA1 | e13f997871c5af640e5d48e15eb4d1cb776796a4 |
| SHA256 | f19f6d8df92fdc3e4367c1aab7db68fb6bc8d047af18fa7a0413d0bfb210a2ae |
| SHA512 | 629a9140e1eb32484386dad202d11e77b5fe314d695b007a20db6d44f5309e1b382b160d0c5d1296e10c74443ff07ee9abe0ec3b7c99228a5f9907a3a91fc3f1 |
memory/636-134-0x0000000000DC0000-0x00000000011B8000-memory.dmp
memory/2836-143-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/636-144-0x0000000000DC0000-0x00000000011B8000-memory.dmp
memory/636-152-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2836-153-0x00000000029D0000-0x00000000032BB000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 9fd3239211bc1b4bad64b006d062395d |
| SHA1 | fe5ae14fefa3eeab01f59d8e95a38b5c0218e72d |
| SHA256 | 8368f580a82b6e5133904bcd22d5728d0f5829870f9a44cd73e768b8cee1cfa4 |
| SHA512 | 6ed55211944d129f2100df24ab7238c0668607a9bef2e6b2e088034a099692442dcf3bdc4603c295c9d8cddce7b2390b003f6cde346c9cb5c2b149c6a4c8e797 |
\Windows\rss\csrss.exe
| MD5 | 08c35fbf514289220d9977f2ad9c3d52 |
| SHA1 | effc1097f5c64a96482ada1197ef9fcc72b1690d |
| SHA256 | dd40df0137d8a1bca85c564bd73fc184366f10f91e5307f227ea6d9115c5c566 |
| SHA512 | 3499bb49dd5f4a47b897881e5cf95d118921460c847506563335988e7c05ac30dd6146fe3091888216baf732d1322d60d78f6eab6f1b0b4721344c71f0099e84 |
memory/636-190-0x0000000000DC0000-0x00000000011B8000-memory.dmp
memory/636-189-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3068-191-0x0000000000E90000-0x0000000001288000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 1627592566cfaabcd5dce4abe8e8f75b |
| SHA1 | 06198cac326e2d954271b2476b60fe4513ba9252 |
| SHA256 | 2663f02fb9f2320a838496f5901c2ea5813dd737f6502ea935992f3e15693f21 |
| SHA512 | e71db8f3b09790a8748cad6da9aa6f822105df995ef7f01f23d86a32e4bdbd5415c2a0c8c5e3fb3e5ca2b9c8fefca911fd472d45299c5205bddf316dc925a240 |
memory/3068-192-0x0000000000E90000-0x0000000001288000-memory.dmp
memory/3068-193-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 395c63a099dce9cb7b6057463e7ddbbc |
| SHA1 | 515e2695d358289c618f1b7b92ec9bb0ea3f7936 |
| SHA256 | b7e049f3bc6e314b3f85c3b175386f67ec4c2a17c9d66d46fe6856448db9ef01 |
| SHA512 | 442a12a47b1896b505dca496b45e3d7360e9e1c2253b97098e8c93c7410316b0f882d7ec909b731f2ada6248b66beed6be6f8296afa3659a108c644926e9bf74 |
memory/1204-195-0x0000000002EF0000-0x0000000002F06000-memory.dmp
memory/2496-199-0x00000000002B0000-0x00000000002BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | a46599fc261a24697975679e202bd703 |
| SHA1 | cfd38f691fd0be860a9629daa038e621fcf3fdd2 |
| SHA256 | aad77432f8be11ad7fe364c3f4de3a1e04dca57ac73fc174d31232ffe2b9fd4a |
| SHA512 | 62736745a43fd164266fa5dc09fa78ec6f10684f35bd8a84d3b5597ee8ca08b811f876aaa072aa617f06ef5b7b942f6f5e937609bebb10fb5e177ae935013e22 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | c70dcb42fb9c61fe21d4d18d41658e97 |
| SHA1 | 17ed5fd2f6b426ebd9d8c4327bc663cc1b784fc7 |
| SHA256 | 3f5432fa13e8b84bc283b2f13ee796ee13892dbfe317cd60ee927e5981e9e9f6 |
| SHA512 | 383be85b7b32d56eaa7f04a4685bc78b02fb215e6e0ccb9505a176190b4e361d177a7ed862b4bc10da7aba07ff0f9a56d8b050356207d9e2c91d91273fda52ce |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | e404b4e07729b6ca7e422bffa4151673 |
| SHA1 | 7f0402cf08597aa1426729b47943e0a4792259ba |
| SHA256 | 956cc1ff9b672293062856dcecaf1ce08a313c7d6eae5d57aea61fa3c4eafb4f |
| SHA512 | 34c4f524627016aa0746fb9519eee3b4e6cd823ec5097193f4752c0233d7651fbfb59e050382f092d82aeebfc333cb6ee029f2b2de1e30ea1bfa5fa8e25ac36d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | f469e3084fb0a4b03073a4db681efa44 |
| SHA1 | 828fa36a3a8c8e91dfbb00e6c2e5e5d3c4a3eea6 |
| SHA256 | c56ff3aa9da4dda7696ff44c02b9d73321e6753eb1cdf0039f1a97dd18b2fbf0 |
| SHA512 | d17a892bacdc9d5e91d9dd3ca296846251b017d48c2547dfa49a2ef769100191bffacb53cc2d7ac2a11b090bae35b24102435cffb18c558d0d11c9a8aebbf0c8 |
memory/2708-219-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1a0fedcf0711f7bbd6e5412f2972f292 |
| SHA1 | 111d00b6c0a5d6f377305138532eaaa3e250d556 |
| SHA256 | e30694c9cdc59347cf505f3085ff3823844013ec0bad1cd76537ee8297c36415 |
| SHA512 | 430067599e8f295858a21e4d7ac5e14ea0ae41b1ae7da254440f767b728cab9a1ac15f154bdc6841c74c5d169aa96ff38136ffabd88473cdf16431a3be87c826 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 47a727f4af25d73fd184abf4625cbdd4 |
| SHA1 | 2da5b0e14584cf3fb3f47f064bec64ea04d2d05c |
| SHA256 | 96f52dcbdeaece14228bde09a77313ddb6fccd639d2d1c3cadddd9305eded3c2 |
| SHA512 | 52e4e9eab0b23366697d6980ccaf298f154509b60d5748bf8e29fd51df4b68a56885a2346ccdd8a931854af0c7ab388077af7a824ebc487620f0a3e650f2cf76 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 121cc42a218fe1856f3dd72720d3386e |
| SHA1 | 6a5ebba8c315f2ab12e349b2ca58008a2d4ddf25 |
| SHA256 | 66174927bc4cb02b6139eb3e50b75a8e056c4682b2dbc2d8733ff7ff64b7b044 |
| SHA512 | f3ee67c55c254803b950f41beecd00587368624d0ccc8c33f24861e09fd12a1ca3d6189c7b8f168deb759b6765c865d36485470122fd05445dddfee42ca0a5fe |
memory/2708-205-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2496-196-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e97a7c3986d9f31cc76cd6a2621295a5 |
| SHA1 | 571bb242c362adacae47b7e2c470567db435066a |
| SHA256 | a27ad4993442b6bb37096653af152790d7788dbefa2a32a5bfb2e3436a871caa |
| SHA512 | 6f20f703979f86abdcf8448bcddbf528812ae9c02ca70b35db4e2a468020abdda41806fce1da548acc4e3d2d966b2cd9d752d8eccab8c81fd3905965e51a96ef |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 8284f500f9614c164b79cc340c6b5091 |
| SHA1 | b1cb544115516b94a091ad7e205db61badc4d781 |
| SHA256 | 37956bf11814af1c2cca2639e2b26fe31de3ce1753f3ce8255b48c1979f5c685 |
| SHA512 | 66d1b9f29fe2a46cddfbdd39c5088c58aea3ad15a1d2fde0151fe877c9b0060bc07aa292ba5a40ff1d49b46071000f81ef80bc11dcee4d774f21a06f041b3ab0 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 7f158dc5b9befae7fe6b6416bb92eca3 |
| SHA1 | 0ea23502d1e22c57272aa610597712b9131b77cf |
| SHA256 | 1c27a4bca469eb13bd747b79460fdea36643d8b8ba4f73daac685ff47c17e7ef |
| SHA512 | 4569974c8958ab920dfa59315cfe9972e1c99a33ffa64918e960011148df31e2bbfc302a60000b7e2b7797c7c28e376e830afcf5c047560b050be32f85c236cb |
memory/780-273-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2748-306-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2748-323-0x0000000000400000-0x00000000008E2000-memory.dmp
\ProgramData\nss3.dll
| MD5 | ce8b54f4caac52d06e66848397699ec8 |
| SHA1 | db09a02ab5d663304175cea1c2b1efe47c7791fe |
| SHA256 | cbd3db16e46fcb7f118b7c9f171f54edbf2bfef114ea6d01d1a2ef152ab809cb |
| SHA512 | 317d396d81fe81340096080f8653e31c49bb6757890cba62ed243162cad5b19344dc8ed733466b7073cda876df93bcdd37688289c5273b2c22000d75eb44e948 |
\ProgramData\mozglue.dll
| MD5 | b297b187364d6691433d3803f3cafec9 |
| SHA1 | e6a8126d3ad85c39a272db811592faeaf0f9d018 |
| SHA256 | 089e45b33f2d753de45cd2218b38eb4a6f1b36ceece42a3f278f013bee2e12c1 |
| SHA512 | 7dfc5593018f6cb91815b08f7f34834545c6b956cc579c0fad7b71a92ea4146776b46e09b41940c8eaa23c20a5500285ab0d9a16fa2e440c1de8e808f725b298 |
memory/780-342-0x0000000002CB0000-0x0000000002DB0000-memory.dmp
memory/780-341-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/780-343-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/3068-348-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3068-349-0x0000000000E90000-0x0000000001288000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
memory/780-355-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/3068-360-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3068-361-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9444.exe
| MD5 | 85e6dbbacf79fd77cca43c81d7baf75a |
| SHA1 | f9fec092f8d9ec6a7247b2b8c8de8797cabb16e7 |
| SHA256 | ee10c3061314cef86c7e9ab66b93e76216e173d94be2a0d5f0d127cb62a8567f |
| SHA512 | 8539e9e9f5acda584172400904ad0339ea1ffe8ee649a780bf4ef37e7d144440fe5ceb860f05d129aa0f926b3b7856554816e2f29a4214337c3635c24c0b3026 |
memory/2188-369-0x0000000002C10000-0x0000000002D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9444.exe
| MD5 | e1d888f2375f59648b2cd3341e3da2f1 |
| SHA1 | 6895e805b3f90c29191c331dd8a57caa123a3ec6 |
| SHA256 | 72e962bf981ecd0908dbeb52b59604e9b47b2582789402e7f2a2ab26f32ed016 |
| SHA512 | 73f681f49bc60f709a1bf30ff517cb41f031409208ce16fb640c662bb0371071059d4b8c17fdf08e3b38de982ff8887294a93602637d2c33f939de2a0b0c180b |
memory/2188-370-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/1380-381-0x0000000002820000-0x0000000002828000-memory.dmp
memory/1380-383-0x0000000002850000-0x00000000028D0000-memory.dmp
memory/1380-382-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp
memory/1380-387-0x0000000002850000-0x00000000028D0000-memory.dmp
memory/1380-388-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp
memory/1204-389-0x0000000003B90000-0x0000000003BA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | a95122c245a5f92abc38d8d9ad2c62d6 |
| SHA1 | be0f68d8b1e4d7fd8dee3a1a4d0ff836f6cab054 |
| SHA256 | f703089ab9802b9257395c5e647110fa2d28d1a89f36f357c4c663829ef8d06c |
| SHA512 | 6e06dec365441f4d2103caff7e2d5faf690271c0bd7ccf26d175dd06d667bc21b49a6887eff99f313c481af431272b9a74b97ae35c663ee58089d8968d430709 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | 112fe10d876b2fa8e35808efd440a9c4 |
| SHA1 | c0363a1baf64438fc197d986ded51c3e486f8d0d |
| SHA256 | 8e7ac00831bb97d33646aa94a4b983d69690e71b0271abb64fe42466f5f8666f |
| SHA512 | af790de15c59f81eed564c842d95859e88f9d7b4f87d28a6256982621da414f519c11aa9dfd3a3256bf85711ed9024ee1af2a1acdc0fb609e2f76820b907add4 |
memory/2652-402-0x0000000019F80000-0x000000001A262000-memory.dmp
memory/2652-403-0x0000000000950000-0x0000000000958000-memory.dmp
memory/780-401-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/2652-404-0x000007FEF4D60000-0x000007FEF56FD000-memory.dmp
memory/2652-407-0x000007FEF4D60000-0x000007FEF56FD000-memory.dmp
memory/2652-414-0x000007FEF4D60000-0x000007FEF56FD000-memory.dmp
memory/1684-420-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/1684-427-0x0000000002B90000-0x0000000002CAB000-memory.dmp
memory/2964-430-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2500-435-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2500-439-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2860-443-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2860-446-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2860-449-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2860-448-0x0000000000130000-0x0000000000150000-memory.dmp
memory/2860-454-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2860-455-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2860-453-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | be58489a859dc6835482eaa4fc75fc23 |
| SHA1 | 100bec0eff2639ef9658221fedd45d856f391572 |
| SHA256 | d2708f91832c6cdfc469c40a5b74a40d02a8c81004eec67240d6871a7fd891ee |
| SHA512 | 2eb88d9b28f0fa23e6c04e3f12104b56701cc82bc653c7bb758cd288abaeb4346d0ff8550894d0c9f24c9b8edd2178b60be2e8678735395056b1e47f758be0cc |
memory/2860-447-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2860-445-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2860-444-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\c6e7c00f-ed4f-4baf-a3f2-09f2ad2653ec\ABF9.exe
| MD5 | d81b4ed00414d8803356564f7a500c37 |
| SHA1 | e3bc12387e639178e8afb2e23512e28032ce0553 |
| SHA256 | 46e62bcc5a0487ce96bec3e4d1e633f0111d1a25484aa8e6db8f27d910630366 |
| SHA512 | 2b008f305fd512d19eaf96ea6bffaa58fb650acdd74c7a506a39d1305152ca80654caa37f81c7d1a72eb02a1fddf45c2fc677d7b85093c3b2740a6aa302e3898 |
memory/2860-442-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | 7ba8b8ecc9f145a3ed879b3996a23e50 |
| SHA1 | 676cc0d7bf75dd0a471b1c27bfdfbf70de762e78 |
| SHA256 | cd09cfcc788fd13be9685ab6c3b0fa30467e02b22af04b93e2c29c1461d97101 |
| SHA512 | e53440676da6511bc9926512e4b5909266745b1132f20f0a8b72c5030b1232cacddb1e2749677a41dd690eb6e77166fbfbd6e40fd0f140f4749911a43e0644ef |
\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | 1d79fc3dbf4081ab4e8496eff92940c7 |
| SHA1 | 163a7ddf25106486a5af31a33d88896764f5ca67 |
| SHA256 | aa11ab69d81380cf099ca82c38f256cea4783815051a8658688125d5b4ce357d |
| SHA512 | 68d06110e5001f59b2298cd92fd66b97944e1701900b7e2bb339137f91b5a9de8b6ffda73b593c3c1582a437f66fa53e8742b9f0686579af312044582124cea7 |
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | 0961a97198225171633a1965477da7a7 |
| SHA1 | 4fe3902cc0c14bdab03479e088bc5d7e1572c98e |
| SHA256 | aee950403e8b654b56d88c46e83af23f46324a2ec61548d7ad0068bd6987e490 |
| SHA512 | 2b0a0edc56ed2479b57db95a4ddbf73b07c67449cafab729e8eae3d496b83392852aa2e15d87715bfe390bd65cb85f03353b3bd7cba47c2cf2a83c50017271ed |
memory/700-489-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1516-481-0x0000000000320000-0x00000000003B2000-memory.dmp
memory/2964-480-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95bbbb086fbbfad82d2a99b5e158fa4e |
| SHA1 | 06a5d1f942e5c8149bc48cd36a0ca7f89f25ec22 |
| SHA256 | fa70f426af201cf8ed4e0034698eeef464705365167fbb695137d98549b1c0f8 |
| SHA512 | 365ffe228aa49395abcba7df61e405add4eb97fa55ce4b1e0423e118c8272642dfc77b838735172e66d652d750d5b727df39e7ae6057e497db79dce06fdcbe4d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | efa4b88e2d59d3346fa831f27046768f |
| SHA1 | 112077d5657b43f8db821e9d79b69649a5d236e9 |
| SHA256 | e98284629449afe65f682f73f6d1e6d78df677b8b9afeb8d4ad00317c1eee71d |
| SHA512 | 261ffe5e7febadf6476ba03e3a1076aebd425619176518419a7f110f6decc16d083d19fa7c98710d713542846fd0b0251ac5bf16e0ae7fce8a9ee234a89b775d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | e24110bf91fff0e98fd55693d18aaa18 |
| SHA1 | c677f46891d4bd1c5c71474aa5dbf190d8f333a8 |
| SHA256 | 5b950588d174b6c6519f8c741f0448a65e2b02d6f710e626f6c5ecb7bac9a285 |
| SHA512 | e8d9f2fd235045c19866a4d7e8e26c232ac4c908e763e39c31607c9e484b4a7b90c099ef488dfb4a988a7bdc1b36002d208a27bfa647da30808104c5750525f2 |
\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | dbcbf2340a5a06d5592f2c4463357152 |
| SHA1 | d6d5b7f58079362a544bc5bdfe315445aee5cf37 |
| SHA256 | 355b575898ea3359fba4d6ea4fb13e2671614adda6f773f7cae3d68319e9a777 |
| SHA512 | baed06c6a6b48543ebf2392bbaa078f7c0d05f06267fb5168456789088f38bc875d78843a28c6e1f500901ce00b9ee48a0cbdd10d6c7bc9976cf678950dc8813 |
\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | 5959cf1ae32157ab593daad91d71a680 |
| SHA1 | dc18d22c57c670051b1f2259bd12ede0bad9574b |
| SHA256 | 4dcc0cc6714ce63e3551ad945f90ee481b6a01686343a171872404c9c3046621 |
| SHA512 | cae7f06bc9e1f1c1c32c7e846060a86b45ffee7da565e44df5f118a32b7f68c22d5d960342901988bd972fb10fbfa971a5545c9c33cde482a13527285e05d267 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | f4ae4562d3de2f92238a5d2865546f51 |
| SHA1 | e7e6011e25412f5d94c0be9d9a2acd873070584b |
| SHA256 | ac74a7d33bc996de8b1b167b7fb2cf55dbccfa737b8f1b2ae0c2fd46757345c0 |
| SHA512 | 8dfd8fefd767ddde14e515e2a1f80d8acccf611468a5ea0475b5d6550ec339ff95f14d48509219703ccec635e948553b5265a547b962ca4a979d73d0a6df935f |
memory/2860-440-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2500-436-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2500-434-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2500-433-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2500-432-0x0000000140000000-0x000000014000E000-memory.dmp
memory/2860-506-0x00000000002B0000-0x00000000002D0000-memory.dmp
memory/2964-431-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | b83ab6b45eb5004a57423f7efbf9b3d9 |
| SHA1 | 44b7ad0bc95db9e48917232f4ecf3ff23e24b1f0 |
| SHA256 | f975e603aaf1f78aeb8e4fadf9b65982b094997e072ba9aee52017f7623c7ffb |
| SHA512 | d3c7934f606e2091e21b50908584aa2d13e9564ff1051237234e0fe618a04a1bcac64a1fb9b4039e0c0f3fb3834f76805c740d134692160348196743abd46613 |
memory/1684-426-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2964-425-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2964-423-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | 1011556277271602ab033e2770184edd |
| SHA1 | e9b81060dab5aa379acd4ff20e4a556c205d807e |
| SHA256 | 54de5992dbf4f14ca9a38c7dd65fc48f35fb4b526a06f6f95f6bd8b853581ec1 |
| SHA512 | 3dab8e653a5e1f2ebaba29f553baf6595dc35688b3444274120e9ae5dca9f0adb3f19c9adb47ba31e06d5d238f0413458b23ac15b73bc7d6c551e3170a1ddf70 |
\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | 543f79a517667eaa88d362e1efa3109e |
| SHA1 | 925199e78468469692d1d60681006f8d5e1ab5b5 |
| SHA256 | 286b5901be69f92fd245f38e79098e7faf0ad5b6dc5458362206b3986e434093 |
| SHA512 | c80d44b9b1f207a2f7423b2e5edc9983648c4157df0e11b5f40c7e335fff0faa10c7f0795f998b408c9adfe0053f84cfd2445a6715a7758039bb03844c9478d1 |
C:\Users\Admin\AppData\Local\Temp\BA0E.exe
| MD5 | d88fc27afb5597607541f62fa87ac886 |
| SHA1 | a4c681c7ba469678caabcc955fecaebeeb2d8d97 |
| SHA256 | 8582cc8b6ffa78a02a15b1b417526769065ebfb20b1e344c41bb2ca63356b375 |
| SHA512 | 1b68ccaad954f2e3616892a1c1c2f2a7258ed6c9e727fe01f582b1c79c79db149f83faad419e567de179f1b664c24eb63e391883f375bcc8b3af38d0a953392b |
C:\Users\Admin\AppData\Local\Temp\BA0E.exe
| MD5 | d9906fde00e2ca9a4cbeeabea0c2ba30 |
| SHA1 | 3610288d2027518b030f5f2d9f4cc0dded32cf62 |
| SHA256 | 27cc8186ef06302ed8b2a4d6ad350ae4486b5427a091bd03388cfdea0f89c9c6 |
| SHA512 | d5e690a23d762828a903a0b7b26f45010245ff2beb2a203e1f972ec003341bb4ac20e43ef5f39b8f59e2440f949a9a096a4e9a7888a4356930cd09191d1f7833 |
memory/1684-523-0x0000000000300000-0x0000000000381000-memory.dmp
memory/1684-524-0x0000000000400000-0x0000000000482000-memory.dmp
memory/1684-526-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1684-522-0x0000000000530000-0x0000000000630000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | 2d70d9b20fdef71240d2a1038ee647ad |
| SHA1 | 7697b3e6913d0c9b9b5fb4c68778d123cbaa10a6 |
| SHA256 | 62dcc2d7f0fd960e5d52891e91c2e00ecbaf678312f4340d01e79f3f6f8ed2cb |
| SHA512 | 05c8a170c7bc6a7d43d8d74bc84b60c13264424f5a642295156260470e2d62bd729c1ec2a79f78df9ec560669db560f29e88d3b43ed7914bd30b8f8e33bf0071 |
C:\Users\Admin\AppData\Local\Temp\ABF9.exe
| MD5 | e7a6fcfbaad7673b1973c9f7e3e9bb14 |
| SHA1 | 9b2545addb595d8e4d3e93e9320b833feb85374b |
| SHA256 | 6754321749b2dcb65da4da7bac0bfe4ea2229c83b89e35c7c447fb362a40c3f4 |
| SHA512 | 83d6be03403ce2e4ebe985fd52420eb1d7552c31841ee8373411b55e00391562c52b80c3a3e8c460df6bc92cb376354c6c254c7d3b001ab586e6f9c6e88d6822 |
memory/2652-408-0x0000000001424000-0x0000000001427000-memory.dmp
memory/2652-406-0x000000000142B000-0x0000000001492000-memory.dmp
memory/2652-405-0x0000000001420000-0x00000000014A0000-memory.dmp
\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | e9bb19eeea62cc0f3ff752d5e9763be1 |
| SHA1 | 6b17d8be8d8739f0455ea02188a433fd68238cf4 |
| SHA256 | 7a5344eb8cf0fc5aa3cab909af3489492885532ca0e0cbf0c55120da0eb449af |
| SHA512 | 35d270b5cda712b27058a3b080e88dfe45e323485ec479a712389be8cef6974a5533e86191729db5c3f79e1b8e7a79d7a772ac1ee3d1cc544ecb0782582fdc1f |
\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | e19f020a2cc69156bed0381e1b40385c |
| SHA1 | 00b85a086b162b8644a1cb69e4ca70dfdd308b72 |
| SHA256 | a7aa4a860f4ee75c244b2fc345c2e8d01df60224506b22792f609b63258c5270 |
| SHA512 | 6955b893c814845fdb5a89aadacb838def9456b8a54e14698c3d5f73df73e7faf8c4f236d5601438773b46612e13f7eb81b23d6086db1ef1381aeca59661ea1d |
memory/2188-390-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/1380-386-0x0000000002850000-0x00000000028D0000-memory.dmp
memory/1380-385-0x0000000002850000-0x00000000028D0000-memory.dmp
memory/1380-384-0x000007FEF4E00000-0x000007FEF579D000-memory.dmp
memory/1380-380-0x000000001B4E0000-0x000000001B7C2000-memory.dmp
memory/2748-379-0x0000000000400000-0x00000000008E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | 460c68a5caf5bf2a58f760f7bb03001f |
| SHA1 | 251863e2e4ccb114c8f8a4d81c73f6b3b2734fba |
| SHA256 | b5e77785ee4c64abaa836307e1944243ae1b963044cbe7d7446df82eb9fa5c32 |
| SHA512 | 1c5dbd3e50b7a8f7ad2112c1dbccac11210a9ee722df9c0e4020ab57b94e3621d90713c9a7de177f30dbe1a2a6055ab55db19cca7829d292354fbe6f3284f9c5 |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2d642b7c4fa3cb8853bd3baa580532f |
| SHA1 | 055bea5c9b366d8ed7b965fc8b848a7c76116444 |
| SHA256 | ce1f7c4b5e0934eceb746999611bb029237b4c6516c7b3852bde2956c86e1d81 |
| SHA512 | 21d1150fe48a449b138783f49bf11aa7e96138c51c918ff2eeae797897a22d6873b9000c3b79f3a78984717784b0b5b91784ec8190ea806223bcb052e5b9bd69 |
C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build2.exe
| MD5 | 13d69f34800125487c3a12bdba22f188 |
| SHA1 | f281d9d54b401e00d788c223137292f8b83bc9ef |
| SHA256 | eed40d0e6793c242dd36095ec2e709218cf2d547d5ce9dfe847a703a1d418181 |
| SHA512 | e42522f634997db2727b1d172a6e29301fb9d59250861ae43e917a5d327a9d8bac2ceb77d7b41b1752a38287c43f43f2af2500ca2d7e56f38a55b024de25ffbe |
memory/2700-548-0x0000000000570000-0x0000000000670000-memory.dmp
memory/2700-550-0x0000000000240000-0x000000000026C000-memory.dmp
C:\Users\Admin\AppData\Local\99619b86-fd45-4227-9c67-190c5312b7b0\build3.exe
| MD5 | a9c9f737f06317c1520b9172dfe428e8 |
| SHA1 | 840b9be8a7c0e2e6765957f6d25ad8eb083fc3d8 |
| SHA256 | fdbf91bc6bd988ee4653383a4f77565a4e7262e4ebf239b9fb730c2596075bf4 |
| SHA512 | 671a5fccc45769f5fbff66d5aeb722d22bb789578a2461091451d2ebcc2d5d0ad0a4da4d7af8d692ee9ec97756b3d5e4a6d1b47c127b2b1f60b922ac77cc4485 |
memory/1732-582-0x0000000000400000-0x000000000063F000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 0661c679ee1b5b440d7ce3f464c94c40 |
| SHA1 | f7c003fe03e14f96f5725aede051fac7e7c95a87 |
| SHA256 | 669abf5f0f3aafdad4d026576ed7b96395c716ed0726a3e8e6341e90a38bb52d |
| SHA512 | e9d5461cc7e7eddd55763e0fc07f5c18f964191c84ef238be395926b4389335089bea1de20218dd4eda0fb47f5475da13545ded824baf57ce136102e80e846ea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4f53a3cc0d6346f8595013293785674e |
| SHA1 | 8f85ed92796fc20a89167aa80b5bc4a6649184b0 |
| SHA256 | 5f847ba726f40a739e264356fca90f40fb51a8601185913ee7e7afa9c43f9ffa |
| SHA512 | cadc2927374ebf1a2f7e0b333493602e08644f512740a09b275379c3ebdfc4826562424c605137b4227088ab1325ed5b2bf284b0f41c96561a6fc2ffeed88618 |
memory/700-681-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2860-731-0x00000000002B0000-0x00000000002D0000-memory.dmp
memory/3052-733-0x0000000000870000-0x0000000000970000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 13:39
Reported
2024-01-24 13:41
Platform
win10v2004-20231215-en
Max time kernel
71s
Max time network
151s
Command Line
Signatures
DcRat
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D216.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\ad444082-f4b8-4a6d-992f-793edc7f4d66\\D216.exe\" --AutoStart" | C:\Users\Admin\AppData\Local\Temp\D216.exe | N/A |
Checks installed software on the system
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FirstZ.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\explorer.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\timeout.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\cmd.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\explorer.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4256 set thread context of 4604 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\system32\conhost.exe |
| PID 4256 set thread context of 4364 | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\explorer.exe |
| PID 2700 set thread context of 2780 | N/A | C:\Users\Admin\AppData\Roaming\tffiuru | C:\Users\Admin\AppData\Local\Temp\D216.exe |
| PID 3416 set thread context of 5056 | N/A | C:\Windows\explorer.exe | C:\Users\Admin\AppData\Local\Temp\D216.exe |
| PID 1884 set thread context of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\F139.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tffiuru | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tffiuru | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\tffiuru | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-82 = "Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-252 = "Dateline Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2162 = "Altai Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-191 = "Mountain Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1972 = "Belarus Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\timeout.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-562 = "SE Asia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\cmd.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-492 = "India Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Windows\windefender.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{319BAB5D-0862-4549-BB23-7EA7CE6BBF04} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-768304381-2824894965-3840216961-1000\{844CA259-0887-4B53-8236-91619C6B3C43} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\tffiuru | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 420
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1968 -ip 1968
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 1968
C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 776
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1968 -ip 1968
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1968 -ip 1968
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1968 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1828 -ip 1828
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1828 -ip 1828
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1828 -ip 1828
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 240
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 788
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 640
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\AA0B.exe
C:\Users\Admin\AppData\Local\Temp\AA0B.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Users\Admin\AppData\Local\Temp\D216.exe
C:\Users\Admin\AppData\Local\Temp\D216.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Users\Admin\AppData\Local\Temp\D216.exe
C:\Users\Admin\AppData\Local\Temp\D216.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\ad444082-f4b8-4a6d-992f-793edc7f4d66" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Users\Admin\AppData\Local\Temp\D216.exe
"C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Local\Temp\D216.exe
"C:\Users\Admin\AppData\Local\Temp\D216.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5056 -ip 5056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 568
C:\Users\Admin\AppData\Local\Temp\D91C.exe
C:\Users\Admin\AppData\Local\Temp\D91C.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 572
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1056
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1072
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4128 -ip 4128
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4128 -s 2372
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Users\Admin\AppData\Roaming\tffiuru
C:\Users\Admin\AppData\Roaming\tffiuru
C:\Users\Admin\AppData\Local\Temp\F139.exe
C:\Users\Admin\AppData\Local\Temp\F139.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1104
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1436 -ip 1436
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1128
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3328 -s 6064
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 572 -p 4088 -ip 4088
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 992 -ip 992
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 1088
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.178.17.96.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | 189.15.92.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1bc4d571-1e5e-4b59-aaee-e325f1798a29.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 17.118.160.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stun.sipgate.net | udp |
| US | 8.8.8.8:53 | server9.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 3.33.249.248:3478 | stun.sipgate.net | udp |
| BG | 185.82.216.96:443 | server9.thestatsfiles.ru | tcp |
| PA | 190.218.35.224:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| US | 52.165.164.15:443 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| RU | 82.147.84.194:80 | tcp | |
| DE | 146.0.41.68:80 | tcp | |
| US | 188.114.97.2:443 | tcp | |
| US | 8.8.8.8:53 | racerecessionrestrai.site | udp |
| US | 188.114.96.2:443 | racerecessionrestrai.site | tcp |
| BG | 185.82.216.96:443 | server9.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | cooperatecliqueobstac.site | udp |
| US | 104.21.9.132:443 | cooperatecliqueobstac.site | tcp |
| US | 8.8.8.8:53 | vesselspeedcrosswakew.site | udp |
| US | 172.67.222.78:443 | vesselspeedcrosswakew.site | tcp |
| US | 8.8.8.8:53 | 132.9.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.222.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carvewomanflavourwop.site | udp |
| US | 172.67.129.86:443 | carvewomanflavourwop.site | tcp |
| US | 8.8.8.8:53 | racingcycle.net | udp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| US | 8.8.8.8:53 | 86.129.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.133.38.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | communicationinchoicer.site | udp |
| US | 172.67.216.203:443 | communicationinchoicer.site | tcp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| NL | 45.15.156.60:12050 | tcp | |
| US | 104.21.23.184:443 | tcp | |
| US | 8.8.8.8:53 | 208.178.17.96.in-addr.arpa | udp |
| DE | 51.195.43.17:10943 | tcp | |
| BG | 185.82.216.96:443 | server9.thestatsfiles.ru | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.114.59.183:443 | tcp | |
| N/A | 20.114.59.183:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 87.248.205.0:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.20.67.143:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 188.114.97.2:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 216.58.204.67:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 188.114.96.2:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 104.21.93.182:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.96:443 | server9.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
memory/4440-0-0x00000000746B0000-0x0000000074E60000-memory.dmp
memory/4440-1-0x0000000000B70000-0x00000000014B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | c44759d4de6ae6fb0e8a9f97cbc77c76 |
| SHA1 | 04d35db6adb36d4de9238c8742a682442bb5c5d8 |
| SHA256 | 956a64a630a21f51e799fb156d84d220c3f57b80cf574dce9f071d6cf3831e8f |
| SHA512 | 587b629eaad1b5a3a9da6e0d054fccbf26086631a822170ea118db31408ee4b0e6f2d64366f712be0c451ca54f28988b15f218c46b59d0d2b4bdcb60f0aa6c1d |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | be2b24cc36d5af4fa30b19a7d2c123a2 |
| SHA1 | 311e1ee5bedb11eb422e40fbf2117344eec92c67 |
| SHA256 | 42a9cb5e78a790e8cd6d313d034d5993702adc8524193190fb4d2aac840a6078 |
| SHA512 | 04bf48606cad695649bfe7b0d0c609befe86ed89a71d265f3f7107ff5dd870f8eb71510a9ed52b3e536dee86df3434bcc4d8d60bcc0ed5c134a9c44b4a8ac0ed |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1548210955eb85eb6ab7c0acbb0e9dc5 |
| SHA1 | 7d4ca037aabef29ae050901647035b8d7dcd831c |
| SHA256 | d70e2faad95031607770eb2ce3a1e1550a824f36553ac0885b90bd014f6cba39 |
| SHA512 | b9c70138d92d39f34cf53ad3d6d76b7cd240e8ba0ea96845bc03b255a726aea2696e98a53369eca9ddfb6fca6162b4fe0dd5dd58b2197278055d65cf9078d3f7 |
C:\Users\Admin\AppData\Local\Temp\nsk46ED.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 8e9e53632a68149939724287033caf49 |
| SHA1 | fe8a8bed676a9cd446630410cd2cc5c869366472 |
| SHA256 | a2d6c0f818e1e3d4ca6ed17c7227cef2c6c0ae394f12fcd29e2d2543a7fc8eb6 |
| SHA512 | 6c3ce0e26513a6c1e003708728036c8b87e0049e99c3f444e2c43d825cbef8c2dab5a4081f0723a23a82d5cdd4d74a6e5bcfd51e157593831733c39f58e3f904 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 8558ffd304c5b84d1d5d8ac83e3000d5 |
| SHA1 | 6e73dc9a72ae2e46a735907f1f7cca5e5dea810e |
| SHA256 | b1a2eadddffe5f5e209e791cf623ba551ae90e8611c8e8491e5b1a82d80ba226 |
| SHA512 | b499f68f9e1e7ef59ef3093fdbbc210c616cc4e638775ad57d884a64cfca8a2e52bb78e2b28e95a273ec2b88bcdde5fb139687d73cecc6c0963cbdb6852a25b6 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 416c86010c09fe4b9a27d9254e211a1f |
| SHA1 | ba372d9ad6715848c1cf7692ff1236c212f847ae |
| SHA256 | 22085ff3e536acded0f65127d10233a67a17452b49ce05b30d9e50b77d415ff5 |
| SHA512 | d26696d353be55d254e2efbf0d8741c9df967c2c42cc4d44b518205685d295747524ffc8ebd9dc46d99965bda6e5d48e209b90c62576398d34694e0ad67130ff |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | b2024a23ab1c9252e4a8f7025e153bf4 |
| SHA1 | 018a4132ff1f38b25f2760f786393248ac1c6b06 |
| SHA256 | 315720e074330db5058b9796ca0218e87ca1807f1640601f1dbd6562d5afd856 |
| SHA512 | dd6e590cd908c7c1934436247f97d41325b7efd8fa696e6926d909a183966c225e602664a0c2401b226949d05fe5610894bc5d4f604efdcf2e9354d544ffbda1 |
memory/1968-60-0x00000000010E0000-0x00000000014DC000-memory.dmp
memory/1968-62-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/4440-61-0x00000000746B0000-0x0000000074E60000-memory.dmp
memory/1968-63-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 027683e722bab2e4377ec452629ad74d |
| SHA1 | f59081a2f0fbcd58735c514df074f26cbd2ce014 |
| SHA256 | 21c818b871eadd2c81f307df8f35802b2acdba13958153790e5b1d6bbd563c0c |
| SHA512 | ead624dfc963f4152970102903b7f7482ba833dc4d1241fce6ee246e1c95de9014fddc0c0b9a08c799ac701f69a65ef1540c2fe32682003e73fa7db9915ad79f |
memory/1796-56-0x0000000000A90000-0x0000000000A91000-memory.dmp
memory/2112-46-0x00007FF7E38A0000-0x00007FF7E38F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | a6fef0562abecca0d7b3567825ae5b99 |
| SHA1 | 2fa30153197cf09fd9bc36a26c062ee69644be2d |
| SHA256 | dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b |
| SHA512 | 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3d497a2919d2e53ee408ac5984676eed |
| SHA1 | 51f93a7222ef01d9c808a1e04110a2a8ad02cc2f |
| SHA256 | 381ba45ff1a4be6e33a7e4a4bae61e8e9685b02e8079a0766cf674306618f7d2 |
| SHA512 | 3606dd2d887c8934e1d90a544af5a2b682453e57080cf1e0cec2eda0f893c9756650cd5d07fba523e21c8e260a948469fa40058613180961321b8b60298604d5 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 5cac8c08924e6805b8b976e1a6c1ddd3 |
| SHA1 | 4ba4d400cab5ccfe4efc2d99789270733cbd078d |
| SHA256 | a49338a38a7702ad6cef0019f1795965088b824dfdafaf87985bd6cb4659d4a2 |
| SHA512 | b2e807627f4f9fd976a21985408f3b9e4c21dbd0168310fad35afed09f578fd03e5deb72618bdf77058ab1bb6332468bc3beb9530d9b91bd3558caeb6fb2eec9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0ff69fb6975af6a20508a93692b9d35c |
| SHA1 | 42bcbb527ab8f847219c1d90044c6e75786c5b1e |
| SHA256 | b0685c3314ab8cc0fece3351b2348d705726479af5855d71bf37a31116481b1b |
| SHA512 | eaf82efa815c165187c1e01fd2a9a34219de6cefeab8a93876fbce5ffbc96b9e44e71d6543c82026e79ea575468f65b01916a1b1235b9313c470b4fbc612f9bd |
C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
| MD5 | b0f1006801c660b9a1325c74a4fd5a66 |
| SHA1 | fcc11968935031574d7608510843c304906b3d4e |
| SHA256 | efcb219a54fa8709e0beec5ec8d3d996fa99bc00015b1adb5a0187e2ef941231 |
| SHA512 | d616e4106c0529fc17d4fbec3966a46a40d2454c6a1e7a8e53158fcacf542a44785f36bfd0f6d4aebbd4f82abe1330739e3763d62b885e107c0a9463d291218e |
C:\Users\Admin\AppData\Local\Temp\nsx4C5D.tmp
| MD5 | c00e84215fabb2bdbd401b84ee2ca5ca |
| SHA1 | b96cae5127b50a2cb411df6d01ba21e4e0db44dc |
| SHA256 | 5c9fe2ee1ff6e0c06eaf17ad7dd2ad1a34d6f91f0d3c6b89d3f2bdb64fe25be8 |
| SHA512 | f76555b7188799ea8bde8e6e24ff1d8130ea9d57758f5e0d3ba52d9e9192d32a91a79e625c8491bdd2bfeb10ef53d9898d75cd7246dadcefa2d4c0100a5f482f |
memory/4128-77-0x0000000002C10000-0x0000000002D10000-memory.dmp
memory/4128-78-0x0000000002D50000-0x0000000002D6C000-memory.dmp
memory/4128-84-0x0000000000400000-0x0000000002B13000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/1044-25-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3728-86-0x0000000002FE0000-0x0000000003016000-memory.dmp
memory/3728-90-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3728-91-0x00000000056F0000-0x0000000005712000-memory.dmp
memory/3728-89-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3728-98-0x0000000005F30000-0x0000000005F96000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lmgfnya2.dk1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3728-103-0x00000000060F0000-0x0000000006444000-memory.dmp
memory/3728-92-0x0000000005EC0000-0x0000000005F26000-memory.dmp
memory/3728-88-0x00000000057E0000-0x0000000005E08000-memory.dmp
memory/3728-87-0x0000000073D60000-0x0000000074510000-memory.dmp
memory/3728-105-0x00000000065E0000-0x000000000662C000-memory.dmp
memory/3728-104-0x00000000065C0000-0x00000000065DE000-memory.dmp
memory/1044-24-0x00000000004D0000-0x00000000004DB000-memory.dmp
memory/1044-23-0x00000000004E0000-0x00000000005E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | a404b4ae2513376edeecb59baf5dbedc |
| SHA1 | afe29cbc40a9699eda7b325db21a7b04e8f25b08 |
| SHA256 | 067d015fdad95156df5b6d9fb0a61c2b3eca6a4984c05d3dc167dc2a1b438f3a |
| SHA512 | 744775d54bc9a34fb543934cf45c9f71560b78fe12c4dbb2460a70c22eaffebf2f1308f2a64c767f92a1e402c01dd5332347a736335c45083b0501dab3c89274 |
memory/3728-106-0x0000000006B20000-0x0000000006B64000-memory.dmp
memory/3728-107-0x00000000076C0000-0x0000000007736000-memory.dmp
memory/3728-109-0x0000000007960000-0x000000000797A000-memory.dmp
memory/3728-108-0x0000000007FC0000-0x000000000863A000-memory.dmp
memory/3728-112-0x0000000071530000-0x000000007157C000-memory.dmp
memory/1044-124-0x00000000004E0000-0x00000000005E0000-memory.dmp
memory/3728-127-0x0000000007C70000-0x0000000007C7A000-memory.dmp
memory/3728-126-0x0000000002F50000-0x0000000002F60000-memory.dmp
memory/3728-125-0x0000000007B80000-0x0000000007C23000-memory.dmp
memory/3728-123-0x0000000007B60000-0x0000000007B7E000-memory.dmp
memory/3556-128-0x0000000002EA0000-0x0000000002EB6000-memory.dmp
memory/1044-129-0x0000000000400000-0x000000000043D000-memory.dmp
memory/3728-132-0x0000000007D80000-0x0000000007E16000-memory.dmp
memory/3728-133-0x0000000007C80000-0x0000000007C91000-memory.dmp
memory/3728-113-0x0000000070CB0000-0x0000000071004000-memory.dmp
memory/3728-111-0x0000000007B20000-0x0000000007B52000-memory.dmp
memory/3728-110-0x000000007F4C0000-0x000000007F4D0000-memory.dmp
memory/3728-134-0x0000000007CC0000-0x0000000007CCE000-memory.dmp
memory/3728-136-0x0000000007D30000-0x0000000007D4A000-memory.dmp
memory/3728-137-0x0000000007D20000-0x0000000007D28000-memory.dmp
memory/3728-135-0x0000000007CE0000-0x0000000007CF4000-memory.dmp
memory/3728-140-0x0000000073D60000-0x0000000074510000-memory.dmp
memory/1968-142-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1828-145-0x0000000001160000-0x000000000155B000-memory.dmp
memory/1828-147-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3172-150-0x0000000002160000-0x0000000002170000-memory.dmp
memory/3172-149-0x0000000002160000-0x0000000002170000-memory.dmp
memory/3172-148-0x0000000073CD0000-0x0000000074480000-memory.dmp
memory/3172-160-0x0000000005AE0000-0x0000000005B2C000-memory.dmp
memory/1796-146-0x0000000000A90000-0x0000000000A91000-memory.dmp
memory/1968-144-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/4128-161-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2b112a6d732f1262b4a2ef16e776d687 |
| SHA1 | 300fca0505089ccaa5f54a46926a1878c2c416cc |
| SHA256 | 903e2c86b85620c74466d1725c8aae91d010cd2808e79c88f8b4e7955ea92834 |
| SHA512 | 822e34171be8967f91e1e81ba81d684156e1d98fedc338b5962316177e68cfb1c81076a06e221ef6071d47090949556604faa8997574e24d9633773301b5e46e |
memory/3172-183-0x0000000071290000-0x00000000712DC000-memory.dmp
memory/3172-184-0x0000000070CB0000-0x0000000071004000-memory.dmp
memory/4128-194-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/4128-197-0x0000000002C10000-0x0000000002D10000-memory.dmp
memory/3172-198-0x0000000002160000-0x0000000002170000-memory.dmp
memory/3172-196-0x0000000002160000-0x0000000002170000-memory.dmp
memory/3172-210-0x0000000006FA0000-0x0000000006FB1000-memory.dmp
memory/3172-195-0x000000007F080000-0x000000007F090000-memory.dmp
memory/3172-217-0x0000000006FF0000-0x0000000007004000-memory.dmp
memory/3172-220-0x0000000073CD0000-0x0000000074480000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/2888-225-0x0000000073CD0000-0x0000000074480000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a07e733175a0afc9581f7d740a49d472 |
| SHA1 | 029bb70c9aba25e40bed592a72dcadb6b4b87363 |
| SHA256 | d0176ded22eb1d335e53629cb85c2687d9749e115d43f3d82a1206b57202d9bd |
| SHA512 | 34ab6de145850403753e7d14bdfa40072982ddbaba3d88e07cdd9a59d16afc42a33468124049701787f5969d561017f5128d6d9a81a6f9dabcc2f24497954dbb |
memory/1796-241-0x0000000000400000-0x00000000008E2000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 96afd9dfaf2c7ff2a178b7f346e4bb4a |
| SHA1 | 197e28f1aaffd4be5270db8046b74f9674748d44 |
| SHA256 | c1e7795b77cc1504d75f8a87afb4a96f65b41257bfab2e3332ae491f3436b0b6 |
| SHA512 | 526aa21c79e05374bdb2aa5681773b646dc90d2ba341f9aebafa254edd43b6bcdd6ff5611e0d5d22e955e5937aba059ee551169774ba5cb5584b3033dd4ac18d |
memory/1828-291-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 029952378098bebba76cbacd56ae5536 |
| SHA1 | 69ce96a7f4e053a118062ca9b57f216b2dc7e49c |
| SHA256 | 953f32f2f5a0d7d054f28a1bca90de11e17976a1fc5980651bc6b895205422c1 |
| SHA512 | 64bd6611be621435bb49cdce72aa389cabeef9aad43c5446440c316944669e499225fbd87fa21a79cb9c872bc420f0d427afe3536dc6c68340e79569b3c8a2b8 |
C:\Windows\rss\csrss.exe
| MD5 | e3c0646fe55c80b142f372d8b2e8f4b4 |
| SHA1 | a8fb3a88eda4804a38fad9e65e58efc8c7bb5c10 |
| SHA256 | 5e3a65bbfa34abc775ebe8edb9006e7406dd1651fe01b6671f890d31b2bfc0ac |
| SHA512 | 1800d8c8fbd3b1012f65bbb80551e4ce46d50fb08362691ad8e37cd9761b23bd60754f8cd15439006eac06f30df1e7a668bbc9db4d24de2edb3951f2ba8507ed |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3eae62377debb55af2b61f73e1598110 |
| SHA1 | 162868a11831c00d2e968dcb9e4f89fb365d830e |
| SHA256 | 7fda39192a02e370770edc1ce889f6459fc0f7179a4f4c80139738e2e635cda0 |
| SHA512 | 1bfca5a95dc586b8166fcd706d0024d7627a5104278d571c9d28fad40dbb5c66014a4d23524dea3fbae20646774e4d48bd797ceffaa8b0ce0c967fcd8aaf3aa7 |
memory/4128-293-0x0000000000400000-0x0000000002B13000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3e5ebd1220679a9073557b5eac36f27b |
| SHA1 | 2d6f411e8c5a4522b2e8a98af21855e7d782df84 |
| SHA256 | d77bd28955b5bd3255713b54ba0505c96e4d604758f816608ba9924ca19da0d1 |
| SHA512 | 0846e2e66f5696a25af6920aa626c760353669fc976f7c9bba2bbd8d963066e263a5e6235ba301f09aaee67c977b6d350cba7c086790ac7bd02f1a0f108bc5a0 |
C:\ProgramData\mozglue.dll
| MD5 | dc10598651f34fa66cc960426b75addf |
| SHA1 | 34185a08319a9e85a27b1049ed2e180eea3dc1fa |
| SHA256 | 4f81550500e70bbc82e159ae30f6c36cdf77c8fce8798c2115d2f1009c8c728b |
| SHA512 | 957d8fc399e2a80e8543948512c4bdcb2bbb8ad9da8db48caeb2795da0d7301dd5e89565b1fb9ab815f999202dcf96cd42679ba835ef7407992676cec74b0aec |
C:\ProgramData\mozglue.dll
| MD5 | df76ce8699fed75b7a3426eebf580127 |
| SHA1 | 290214b2cfd15afc810f4cd55c87f885033702dd |
| SHA256 | 1681e9a60e272057441a8546fc41a0bc14a877fb011d1d1ebf9a1b6afc68369b |
| SHA512 | 71d34e5e4b11c9c5b93b62eac084cd10c1782b7bc3b595c3a2fb79d0c9fa2d3801ccc0e6f2728a3252502f96de8fcb7870e9a6768270e1c65c6c008ba797b6a3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a77b47df0bf41b18c94d22142f09a768 |
| SHA1 | 82eb0e395a656de01f538469f68ffc71b50d8809 |
| SHA256 | d95c75ffc851636f1dcbf8fd0b4bb7c49fc0e4204063b91727f8ad2a6586faa6 |
| SHA512 | 341ee879d0035a399e364addd96832e6a93f874a715d9713339d7196c298d2d31b10b62b1b9c763ec17385a676cb8486470039f7fabdb8cf8ec0b4c04c4f34c2 |
C:\ProgramData\nss3.dll
| MD5 | 5897931be7c71ddc241122cd20518654 |
| SHA1 | e3a5456f9c933aa8979b829681adfb4d4eedc016 |
| SHA256 | ee3de93e66cb39c0ccc31fb9692588cc8d7a9b2124e2899a832fb428002bf3f9 |
| SHA512 | 1d742a2b15f226cf06802978652f0da6a96a0b3dae99d0485c57bb82387e62e244d9129a03a22d421c9966a78440efbbc4401c3334f399cd94b83810188de316 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 739bcb3bf50d886d959f622d46ba495d |
| SHA1 | d177cf5fc654a0707aebf146883d7ff874b20258 |
| SHA256 | 6fdc820c2abb1082c4d05c0e27e2c4c6ec7ac7c30ff703562ea749e0c4b91690 |
| SHA512 | 62657ddeadee9786ecdb6c045587affcb09d3512b6c96670bdf9b084740b50abf4bae40f79a5a1d3aa988e90401a86923868d14ff7b487d585ad51f3c92f95a9 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 2fc16440056599d85ef09e0ee6ff8a47 |
| SHA1 | 0e2cfcf11cbc2e98199ffe7be977d6e52dfbf7b9 |
| SHA256 | 1b1d16a935d0a1bd3359744f4eabdaf43b82404a719bacbd9066e4da8a71b409 |
| SHA512 | 2a31ca4e391a6f0e2bf335c3a337e76128f4160f0d68d22b46b6e324d9fc6bd10ba5d51dec26a7b66e87978183d3f9cc137161d923454d1f18124ecbc1126753 |
memory/4128-419-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/992-423-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AA0B.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\AA0B.exe
| MD5 | 214239b86357459322e74fdb57ce4cce |
| SHA1 | 13295cd242eafeb39f4970918f74a046415ca581 |
| SHA256 | 0a05ac5c787453db65a62ea4987fc1cb47eb386187bfb14eb3565e6a2ede4605 |
| SHA512 | 3af02d1a9d31171beb23807f213d2f859404b46d6ec7d6adba0665eecfd37a4391c1f41db3ee16b76bc6ca394af9943802ffa914d9f385b654191bf2d4038f07 |
C:\Windows\windefender.exe
| MD5 | efc594d9dd5875e450e02ce537701b8b |
| SHA1 | 1aae704603c1b579106bc9540e729e3537b53c29 |
| SHA256 | 770be8ecb4ea28c837a972bca2d0fdf0375f2713026f2c8a2c3d90eac7f863e9 |
| SHA512 | ce9a804e2b533fdeb60d0a4284cb17e2fe1c2f701da466059c0da6c0b559182ac394f356f1ccb9ffe6499aeb0fae0a112e1db7a120e8a25af48cef80a6557fe2 |
C:\Windows\windefender.exe
| MD5 | 66f7e843bd0fee8eaab53f4ae38450f0 |
| SHA1 | e4f46ae90c18182ff51a12a0b798c89ad041a897 |
| SHA256 | 8e83b652e01ad10dc021e7d2cd9a61f2254b8d9338c346c9040dbff1d4d46c2f |
| SHA512 | 951fa3fdf024cf907a28b5317761770839118c8975cea1aab1eef79aeae9f260a2cbf7bb829a5f94c5830fe9ad5fd7745fef20d7f5bcbe3338660e3000d0fdd6 |
memory/1864-437-0x0000000000400000-0x00000000008DF000-memory.dmp
C:\Windows\windefender.exe
| MD5 | 26f07fba3fb0a7a3f50e538e5c6b078c |
| SHA1 | ca6f14720bcf080a0784e79002b43b1aae913a0b |
| SHA256 | 84bd558c894b3849ec28a59774022e188240277ebce74824913f81a4c13cc9e6 |
| SHA512 | 8bf3708a6f1eb9c2b3d55c675e92f76e8723cb9ccff2b98241e578299d970dd9219146e272e7c2f5052c1d0cf9583516af3691245b3eee689e710e8993c07a5f |
memory/3556-440-0x0000000007BC0000-0x0000000007BD6000-memory.dmp
memory/2704-441-0x0000000000400000-0x0000000002B13000-memory.dmp
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | f8e493230d71938f88d66332848bb073 |
| SHA1 | d22317e61922e6207f064a8cae23709fb61ea1dd |
| SHA256 | 5a5bd560d0f7fc62141a60e124a7b8cd0130ebdcaa820fe523cd7979a2a3636f |
| SHA512 | ce301f7eef53afa5d6ef5a9cbb602e50295b29ca9c7389aa5f49c18c5bf41577939ffdac9d6ce7b80045804d09f74efc71a2fbd35439c557182893b42db95fcc |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | 0d64d3dcbc327c908a8e5d673f48d9fc |
| SHA1 | 39120b24a10e5c466f63121c7ffecec0d7d16fe0 |
| SHA256 | 18b1d3b797f5d432587bf03551e84490a1619c5f8d596ecca7bdbf58af1ab1a7 |
| SHA512 | a88f591fa056c00a15c761e10ca0646facf14a7e9b6117b340c3da03aa780202e3ccd1b3da583ce0e8d656871027b7c56a8c28d2dd7cc8e73133fd6b17e486e0 |
memory/992-499-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4604-504-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4364-515-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-516-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-517-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-520-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-522-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-523-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-524-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-521-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-519-0x00000000017C0000-0x00000000017E0000-memory.dmp
memory/4364-518-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-514-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-513-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-512-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4604-511-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4604-508-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4604-507-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4604-505-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4604-506-0x0000000140000000-0x000000014000E000-memory.dmp
memory/4364-529-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4364-530-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D216.exe
| MD5 | df4153719bf93cc3ef7d3934fe75d815 |
| SHA1 | d929cacc16bfcd227c7458fd940eddcaac1553c1 |
| SHA256 | 0fadd34aa822d465c602a94722aa35556f064cbb69efa44e77ebfe07e79387ca |
| SHA512 | 1f8847a341b27a79822046ebff66cab820a3ab59c76dc0548ef8b94ba2203583a6fe88dbd639e93888acfcf1e4918bf8ec7321f49e88fc2738114a17ba57dc62 |
memory/2780-541-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D216.exe
| MD5 | 3d5860ff13b28a66dd4cbc3bdfa59323 |
| SHA1 | f5f60293fefc60cced423a1c61506d926f0644c2 |
| SHA256 | 3836672bd9458807f12f7fcf462bf92a0b0e2c9848692b94e1c85578ff6a7296 |
| SHA512 | affd16034a94cce2c626d685273a4ecff555f384542bea7291758446e85c253d468e09d4e6395bb878a829e0c87a502db2c98a2ee72a4982300b1bf158410aa3 |
memory/2780-542-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2780-539-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\ad444082-f4b8-4a6d-992f-793edc7f4d66\D216.exe
| MD5 | 09acd913007535d86da7019f1318f7c6 |
| SHA1 | 86bfd0a3356ed1e5e6c1366cf2a7cd54f4ad7b73 |
| SHA256 | 101deb9c762d69d4226c96ad4092ddff8fc5c54a931cebffd8814d26889e0bc7 |
| SHA512 | 1ff2a39f45b50cb0123807407da021752faef8bef382d07a5c01b7483c403c28bcffbfd8d3345a2495238474a1a0cc36fc4ea1006cda2e8e06d84655dfe15d48 |
memory/2780-557-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D216.exe
| MD5 | f7b3b2856fadd7409aa8a475d7214647 |
| SHA1 | 48e34f6198d8833313c86bf96b49210681f0d582 |
| SHA256 | 475a5dbc82008cb8a37eb562ddc4d366bdd15aedce311f3f81dcd6a2d747f7f5 |
| SHA512 | d2d973bb1a5c2c3564e8175c4e31ddda3a706da607e2cdb26dec377aff1a10fa8998ab6a39d4b2ecc8940c1118c35d938b2d90835e8c0de25b5df456ff7e2295 |
C:\Users\Admin\AppData\Local\Temp\D216.exe
| MD5 | 048c672b47545cb53cde88463cff9e8d |
| SHA1 | a7202603189c11a7b4161f44959a260d14a802df |
| SHA256 | cfdc20f363e5355b39e397b848359bdf2ddf679d7a0d6837b9d2ba85b42e43bd |
| SHA512 | eba7c49471bde93b997d9a992ff72bffe66dc5e6bd6e22155e40face33b3cc869b8cc170276449a50e474ed9db87e93b76c3fe9ead91419235f077cae92d1009 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\D91C.exe
| MD5 | 7b08adfddb5e328bb58b6959705cf679 |
| SHA1 | 4fd1e84403e024a7399372a620eee253b4c8db19 |
| SHA256 | a18a0bc0ff8dc32f14b55a399ee043a223d2d4532d2404af585fa09adb046ad6 |
| SHA512 | 12b593c28570e20920a67c3ec021601030d2aff295164387095afcfc620b9a1a05cd2f13d8808da0830c0cb11e06a589b8f61e1bd59f8a83da87f0434f92a162 |
C:\Users\Admin\AppData\Local\Temp\D91C.exe
| MD5 | 3cee442c6f161beb2d95c3165d2df5f2 |
| SHA1 | c42c51b040553315b635bfe632d998d9ef4fc8a0 |
| SHA256 | 1d84cf47490d22c25d2bd5180fa4058298cb52339aed3466f7318d2d56dbb3b1 |
| SHA512 | d8f4cdf5399acc2b00864d4466634c83507e76b914b6591e82275f46ba9fdcbf096034dbee4ac8f416ac3216c4d5937260a10cdc6f7649ec9835ab9e5af37850 |
C:\Users\Admin\AppData\Roaming\tffiuru
| MD5 | c7fbc8d52e8a443bce41c27c7f8c9d67 |
| SHA1 | 44f73eb8b67d2d0413bc10d0d887d2f3430b09c2 |
| SHA256 | 802849a54e006d1d46be18a9488d103b2e93ffc9f52c9338682152272420a6a7 |
| SHA512 | 8d7d83fed99371939d263b85b96eb2cf7069754647fc805c1ca7c498bf73e45c32d718a90c399dcd9eb7482b60193f01d53ef4025a047ed70c72dbbd0197fcff |
C:\Users\Admin\AppData\Local\Temp\F139.exe
| MD5 | 545659831744d6fc9a9693cea0399ccf |
| SHA1 | c6e3764cb67e4ce16a25eaffa6317ad38134b694 |
| SHA256 | c70ec3a2fb40276d83d3dddd69a7c98ff2b7cca7babb88fbc18be32656edc13d |
| SHA512 | 29ca4ba9efeec532afa0f999820c655ab6cd5de2f2d47b826d2000f6f399e307f727450af9d876585bbb723733828d252ad58d1720610921db99f70694eaa9a9 |
C:\Users\Admin\AppData\Local\Temp\F139.exe
| MD5 | b6748ff05625e9819b726e68a88a9138 |
| SHA1 | 34c2a660ed51e28a5c32795bb51887c4dc875721 |
| SHA256 | e4312e8be1f69de74c32f50f340de53ee042c05b17e834bff82eecf907de6f0d |
| SHA512 | 0474ac012530069ce2be2fdc9ee851de174a7ec6a680e76b4b4a423c7ea473fdee0f184b0e190a28e9ba1e07c27f992533fe811ebedb6e19fcda4036c2e54a1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | 62876997ebe1a7782b290d3e0b42cf5e |
| SHA1 | 125b7fcdd8b115731b16c4ddc12511ba9ef07b4b |
| SHA256 | 087ab6e9ddb7c92957c39f04bd236dd4d69bc67aefeed8318ba3e3305fd80232 |
| SHA512 | aa760e4e27f58d798b025f61ccfa11fcf364fbe6a06f2e3c9b855e4ad1386334e0d23783bc980787c3c492746f307a68d7e26e49e444b45923c5a578ac4a2240 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
| MD5 | c2637b6719f6a23e93d0f1166d66cbf4 |
| SHA1 | c7c236c79bb4224df7ecd9742b79bdd6c0dccd96 |
| SHA256 | b0a9a7b3d509896eb2c255e94130d9fbdcf4328119d1f489b241ec9662c14e8c |
| SHA512 | 22e96f546e5c6f1c87704df88916c0657c2acb29fdc4f6877fe2558ef2417f508d869a478556d83048deb1942c4913552fc1562eccdde733e806a52b58a6de98 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UA6WZR2N\microsoft.windows[1].xml
| MD5 | b97f6e2cc1520a2e8426851cb68f3b0f |
| SHA1 | 33a930fe90facb202ec3cd87ca0275af9dd20155 |
| SHA256 | a3546f0c8e475abc90346821be3c3d67f522161ea876c3d14247ba6d79a2b5aa |
| SHA512 | 9b3771942ffce17a52d4c0598bd0d4bb8f196c8731e5b129524b3d9507d411895e4c43d84479f06e5fb28c3403d6b0ec63b97f3a3cdb598873d17fd637abd06a |