Analysis Overview
SHA256
61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e
Threat Level: Known bad
The file 61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe was found to be: Known bad.
Malicious Activity Summary
Neshta
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Modifies system executable filetype association
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-15 17:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 17:52
Reported
2024-07-15 17:55
Platform
win7-20240708-en
Max time kernel
142s
Max time network
122s
Command Line
Signatures
Neshta
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
"C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp5706.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp94C1.tmp"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp94C1.tmp
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD366.tmp"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpD366.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp10E2.tmp"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp10E2.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp8AB3.tmp
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC793.tmp"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpC793.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4A2.tmp"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp4A2.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WINDOW~1\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\SysWOW64\WINDOW~1\v1.0\powershell.exe
C:\Windows\System32\WINDOW~1\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp422F.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
Network
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
| MD5 | fd151dbc522da341d7c5540e6a90d624 |
| SHA1 | 4fe3c3f08021ce65120246b0428ad5fafe001d6e |
| SHA256 | bc984064d01424dfd6a7c530a1927fe5e3fd3c659988ccd503c3fbfd99462a3f |
| SHA512 | 3c3356f1f59235cdcb720939aad4b87939778695d9b9cf2ed1d0d31844a50844bf984a9d1b3f7c15af25286e55f0102f1826b19315eb79a65423942e8431eaed |
C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE
| MD5 | 754309b7b83050a50768236ee966224f |
| SHA1 | 10ed7efc2e594417ddeb00a42deb8fd9f804ed53 |
| SHA256 | acd32dd903e5464b0ecd153fb3f71da520d2e59a63d4c355d9c1874c919d04e6 |
| SHA512 | e5aaddf62c08c8fcc1ae3f29df220c5c730a2efa96dd18685ee19f5a9d66c4735bb4416c4828033661990604669ed345415ef2dc096ec75e1ab378dd804b1614 |
memory/2208-13-0x000000007476E000-0x000000007476F000-memory.dmp
memory/2208-14-0x0000000000BB0000-0x0000000000C78000-memory.dmp
memory/2208-15-0x0000000074760000-0x0000000074E4E000-memory.dmp
memory/2208-16-0x0000000000500000-0x0000000000512000-memory.dmp
\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE
| MD5 | 9e2b9928c89a9d0da1d3e8f4bd96afa7 |
| SHA1 | ec66cda99f44b62470c6930e5afda061579cde35 |
| SHA256 | 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043 |
| SHA512 | 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156 |
memory/2232-89-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2208-90-0x00000000009D0000-0x00000000009D8000-memory.dmp
memory/2208-91-0x00000000009E0000-0x00000000009EE000-memory.dmp
memory/2208-92-0x0000000004E70000-0x0000000004EFE000-memory.dmp
memory/2232-94-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\svchost.com
| MD5 | 2f50aca08ffc461c86e8fb5bbedda142 |
| SHA1 | 6fc5319d084c6e13f950c24c78a9cadb7793c638 |
| SHA256 | d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e |
| SHA512 | 785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e |
C:\Users\Admin\AppData\Local\Temp\tmp5023.tmp
| MD5 | afd34ccf63dc65d54482c5f1ad671edb |
| SHA1 | 78f61bc84f44d44dbc8257585cc58f5c6103b4e2 |
| SHA256 | afd3d44063fd1ba34ef1f0bcfde471a9fa553df60f041357f5a5e183b7033984 |
| SHA512 | c61b0112665853cbde2b184148f78027b241d35777dd31c0d97b10bc00027904c849dcab53cefed416331bfb7b12475b4284e06f15496440d0d1cbeee0b040ea |
memory/2016-106-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1680-118-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 20dd9868b9ae8ac65bab31b5650890b0 |
| SHA1 | 6aa5309826f48d575489ed546bfd17c80a3aa02d |
| SHA256 | 7fbb99a259c044e8bbf6b4662eb79703b3fce7f12bc7f0f069469a7778bcc347 |
| SHA512 | ed2b0ef383851a5cff3796c63b189745d35b4763016fe8aa229bacfdd89e15525056503a4db339aa3437d88b8d8608ba1755ca563686eb56deacb16375df7480 |
memory/1084-127-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | eeeb45e7168435a05021519dece54ce3 |
| SHA1 | df05ed8dc583d17b54cf270dbbbbe36937769941 |
| SHA256 | b6063fa83cf0d842cf1a0fa2f30dd20d638b4b380cf351534b82cef9e14be9ac |
| SHA512 | 538218614b1f8b3f6b6244857b8271687b7e9036f1ab1bd489fff92782674522c43bc312989d4ac3e58f5d335cdda8c0d898a4bb9630d1c5a467e38f332fb501 |
memory/2404-130-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-147-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-145-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-144-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Windows\directx.sys
| MD5 | 98169b13e77ed35ec975e17ae26f995b |
| SHA1 | 193a590cba9fd83594d1e4a4a80a4ecfbdacdc54 |
| SHA256 | 005f4da6703fe3f3798300a7409f16caf9f2441655934a09911a103eda337b5d |
| SHA512 | c070b0298bced5c0b6fd09d84b4f0632a877591a6b9861fd1994e300b0e89d111d1d3b7635c5fadb54cba472031c48a7cc74295956556bac8e827dd10dacd352 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M2RNGAS9TQBKA6SC4YXL.temp
| MD5 | cc65cf878470d98b9fee9e6287d907db |
| SHA1 | 490e798e4c605cc24453d1b5f8514bc90036ad9f |
| SHA256 | 91afa3a6b7d6f77675e4545cacb6dcd3582e96004855865f33a3f5e8e77b26b2 |
| SHA512 | 4af22e47fd31eeea408851dd399594848a275b6e6bd8fcbf0961a0f698757f8dc1fbd2b80c037b51c756b96681c3aa106ddd101e30f9c54da7415b5843c94a8a |
memory/2208-167-0x0000000074760000-0x0000000074E4E000-memory.dmp
memory/2404-142-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-140-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-138-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-136-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-134-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2404-132-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2196-168-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1124-169-0x00000000005F0000-0x0000000000602000-memory.dmp
memory/1712-180-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | 6d266683583eca026ff9fb1a51197ef0 |
| SHA1 | 886c44a42fd282b68b5d215160944cce9c7c103b |
| SHA256 | 2c5a581e96fdcb1d83253386b75a7821fdd861b5bd15604bab09fb5de93d7ed8 |
| SHA512 | 0d5910c58270331672d60826adc91e816eda62c73e4fdbaa60f13be5da7144e2da86da38c1f4ba01aa198d12a4996a29c791eccbb243e99e3076f9f94d5cff16 |
memory/1536-202-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2004-218-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2452-200-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2812-239-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2256-256-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3044-267-0x0000000000400000-0x000000000041B000-memory.dmp
memory/864-275-0x0000000000400000-0x000000000041B000-memory.dmp
memory/568-376-0x0000000001300000-0x00000000013C8000-memory.dmp
memory/568-378-0x00000000004E0000-0x00000000004F2000-memory.dmp
C:\Windows\directx.sys
| MD5 | 8b15b2fb324290c1fff3c00b48fed24c |
| SHA1 | c7c1dc32158ff1f8e47afcb51d5a2c53017bcafc |
| SHA256 | 0c96daabf9a44aff8e925538825153b2778b9ee7120fa41aecb1c465638f138e |
| SHA512 | 42afe955add4b31a7a183f2e12024ce8114566431ecf30b3cfaf44f918047cf4859609cb672529bcaa3c6e9bc6e506268b88fe08ee87bce815ede670e1210a5d |
C:\Users\Admin\AppData\Local\Temp\tmp4DD2.tmp
| MD5 | 035b884d26f603d47bf2cbe67062086e |
| SHA1 | 6e9db5bac0bd61367628f2f3a79a8c03176befdf |
| SHA256 | 15fe1d3ab31cba0cc1841abbd11636fbef77e4e150928621dca8bdfa3865d86e |
| SHA512 | 42098c423a7a8ceec7d950f6a8889dfc80a21ee4e49fd8b3386d5f59a3dce82b838ba54c44e7697e272412ffcf20843595079c494fee74906d8d1c4e05b5ced2 |
memory/3068-482-0x0000000000190000-0x0000000000258000-memory.dmp
memory/3068-493-0x00000000005B0000-0x00000000005C2000-memory.dmp
memory/832-545-0x0000000000190000-0x0000000000258000-memory.dmp
memory/2072-606-0x0000000000AA0000-0x0000000000B68000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 17:52
Reported
2024-07-15 17:55
Platform
win10v2004-20240709-en
Max time kernel
148s
Max time network
126s
Command Line
Signatures
Neshta
Command and Scripting Interpreter: PowerShell
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
Executes dropped EXE
Modifies system executable filetype association
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\directx.sys | C:\Windows\svchost.com | N/A |
| File opened for modification | C:\Windows\svchost.com | C:\Windows\svchost.com | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" | C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
"C:\Users\Admin\AppData\Local\Temp\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCD43.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpCD43.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
"C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp142F.tmp"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp142F.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp55AD.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp55AD.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9584.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp9584.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD5E9.tmp"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmpD5E9.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp161E.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp56B1.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\eiVfWxqyEFoV.exe
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eiVfWxqyEFoV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9764.tmp"
C:\Windows\SysWOW64\schtasks.exe
C:\Windows\System32\schtasks.exe /Create /TN Updates\eiVfWxqyEFoV /XML C:\Users\Admin\AppData\Local\Temp\tmp9764.tmp
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
"C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Windows\svchost.com
"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE"
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
C:\Users\Admin\AppData\Local\Temp\3582-490\61D0FA~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\3582-490\61d0fa3933d0620b188c69ca85d91241e252ac419b46341ad1eac5dff7c9676e.exe
| MD5 | fd151dbc522da341d7c5540e6a90d624 |
| SHA1 | 4fe3c3f08021ce65120246b0428ad5fafe001d6e |
| SHA256 | bc984064d01424dfd6a7c530a1927fe5e3fd3c659988ccd503c3fbfd99462a3f |
| SHA512 | 3c3356f1f59235cdcb720939aad4b87939778695d9b9cf2ed1d0d31844a50844bf984a9d1b3f7c15af25286e55f0102f1826b19315eb79a65423942e8431eaed |
memory/4620-13-0x000000007392E000-0x000000007392F000-memory.dmp
memory/4620-14-0x0000000000DB0000-0x0000000000E78000-memory.dmp
memory/4620-15-0x0000000005CB0000-0x0000000006254000-memory.dmp
memory/4620-16-0x00000000057A0000-0x0000000005832000-memory.dmp
memory/4620-17-0x0000000005740000-0x000000000574A000-memory.dmp
memory/4620-18-0x0000000073920000-0x00000000740D0000-memory.dmp
memory/4620-19-0x00000000058C0000-0x00000000058D2000-memory.dmp
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe
| MD5 | d9e8a1fa55faebd36ed2342fedefbedd |
| SHA1 | c25cc7f0035488de9c5df0121a09b5100e1c28e9 |
| SHA256 | bd7696911d75a9a35dfd125b24cb95003f1e9598592df47fa23a2568986a4a9a |
| SHA512 | 134644c68bd04536e9ea0a5da6e334d36b1ce8012a061fa6dabd31f85c16a1ac9eee8c40fee3d55f25c4d4edf0672de8ce204e344c800361cbcff092c09d7a33 |
memory/2992-104-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4620-105-0x0000000005CA0000-0x0000000005CA8000-memory.dmp
memory/4620-106-0x0000000006A60000-0x0000000006A6E000-memory.dmp
memory/4620-107-0x0000000006AC0000-0x0000000006B4E000-memory.dmp
memory/4620-108-0x0000000006D40000-0x0000000006DDC000-memory.dmp
C:\Windows\svchost.com
| MD5 | 2f50aca08ffc461c86e8fb5bbedda142 |
| SHA1 | 6fc5319d084c6e13f950c24c78a9cadb7793c638 |
| SHA256 | d60208f3894f4556caae5ed2297c0ef1593a4a66f5af8f3f2e44a8f2896bbf8e |
| SHA512 | 785225fe823c5724c7ebbfb17f31ffcfc2b3b852369b4d3e002b54476ad8c0f4a5d6ac29d43886361bc8deda29db9f9ce70b1e4496b08390a8ead50ddac9d46e |
C:\Windows\directx.sys
| MD5 | 8ef46131112542d3859ed87042a58784 |
| SHA1 | 1cea3455bf0c347007c5c8780f638ff5027eb687 |
| SHA256 | 058e4a52feb09ce5ea1095e512ee714132c446b493080833ffb802e91f9d8aef |
| SHA512 | 180f5708d9b039ba391ce77b51972a1296567f910bf545f11341c7d8947642fb675dc0cd2b73f7fff3c745586924ffb1078fbd8c3c9445a708d25c238cc15019 |
C:\Windows\directx.sys
| MD5 | eeeb45e7168435a05021519dece54ce3 |
| SHA1 | df05ed8dc583d17b54cf270dbbbbe36937769941 |
| SHA256 | b6063fa83cf0d842cf1a0fa2f30dd20d638b4b380cf351534b82cef9e14be9ac |
| SHA512 | 538218614b1f8b3f6b6244857b8271687b7e9036f1ab1bd489fff92782674522c43bc312989d4ac3e58f5d335cdda8c0d898a4bb9630d1c5a467e38f332fb501 |
C:\Windows\directx.sys
| MD5 | ba4a5d73acd49e6fcb828a8d2880f3bf |
| SHA1 | 2af8435b75c30bfb0f21fd685052c68b06dd3766 |
| SHA256 | dc37bc79f2ebc911a09a8b8d61b4173202eca7851006e79f7996fd74032db497 |
| SHA512 | 913397519ffe7414dc9d4730882956b31ef93a0518adf6e5e78b128420ffad7e5482ab7cc214197da2ac3e6fa34a1977e60d45a13610b4b2b4cc4824b6edcf23 |
memory/532-132-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2312-139-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2340-143-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2340-141-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4620-145-0x0000000073920000-0x00000000740D0000-memory.dmp
memory/932-148-0x0000000004F30000-0x0000000004F66000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 51793c9e2af72fd3d06520de563add54 |
| SHA1 | b77ab89608e6fd6150109038b15beae489d325c8 |
| SHA256 | adff78f09abaad328ed44bfecf59ff3ccd50e815b19d0c65566418602296a98c |
| SHA512 | 77363c70ed5002acc3e17ce965b0dfdff6dfb4eed1255964b575d3b7b2fc5847cb0bd449b6852d687f6ecf07bd77b9d4c923b5c9312051897d602f256780f955 |
memory/932-152-0x00000000055A0000-0x0000000005BC8000-memory.dmp
C:\Windows\directx.sys
| MD5 | 98169b13e77ed35ec975e17ae26f995b |
| SHA1 | 193a590cba9fd83594d1e4a4a80a4ecfbdacdc54 |
| SHA256 | 005f4da6703fe3f3798300a7409f16caf9f2441655934a09911a103eda337b5d |
| SHA512 | c070b0298bced5c0b6fd09d84b4f0632a877591a6b9861fd1994e300b0e89d111d1d3b7635c5fadb54cba472031c48a7cc74295956556bac8e827dd10dacd352 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE
| MD5 | 114445130d5e083c42830d9adbf5d748 |
| SHA1 | 48a62ec52b835918cc19a2df9c624a7a0d6b85e1 |
| SHA256 | a5f47d59b8d08fc85ee411ec2e1015fedda08fd4a6cae2bf7b3bb1a7db2ccb5e |
| SHA512 | 45eb73fd4e12ed70c386c733b2bc04296fb1a16be04b4cd45260c70d0e4b6cf3a87dc223ce2319d94b79c513ba19d0816bae428c466076c1de906429aaa78748 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE
| MD5 | 3e8712e3f8ce04d61b1c23d9494e1154 |
| SHA1 | 7e28cd92992cdee55a02b5ece4b7c2fc4dd0c5e4 |
| SHA256 | 7a8ee09f8a75b3e812f99a0b611c6720626c62c6985306a408694389a996c8e9 |
| SHA512 | d07d924f338bd36ca51c8e11931f7ff069e65942725a8e1f1ff6b81076a987ab7d787452a5fb08314edf1489e081f4164db1ad299a6d78401e630796f4487dc8 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE
| MD5 | 823cb3e3a3de255bdb0d1f362f6f48ab |
| SHA1 | 9027969c2f7b427527b23cb7ab1a0abc1898b262 |
| SHA256 | b8c5b99365f5ac318973b151fe3fe2a4ad12546371df69e1b7d749f7a4ce356f |
| SHA512 | 0652b60e07aa5a469b9cf1013a1ed98d0352996c59b9a66f612be2bc0081d8ec8a65a44a3977d2e188cd8ee3311edb251b818cf300d152ed5f633679a6cf834c |
C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE
| MD5 | 6b27dd3f7c6898e7d1bcff73d6e29858 |
| SHA1 | 55102c244643d43aeaf625145c6475e78dfbe9de |
| SHA256 | 53e47df12f0ce2005f4a2a773d194c9431b325b64c205dfa4cfba45c973b65f3 |
| SHA512 | 52b7a596b07935f15f008c2de38c5dfd85df18b49e5083e363b90fb321d4f1bf588627dcbe94fa6434c460243b254c5ca1dbcf2c956e49baa92e13e104500f2f |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~4.EXE
| MD5 | eee817016431278bd858e5c321767f7b |
| SHA1 | 6dd600c4fb9d3e24d1cebc6956ce8102f9d58e74 |
| SHA256 | a7eb193768af5d871ce180824e956dc327ba61b0b6db57f2bf3e615c910720ba |
| SHA512 | 480f8868b1c18640206892cd6b56b89db812d55cbaeab956f592f1918ab8cc944aead1ccc7c153dda94580415be90b0f463fe803a97eeb4fc3760e99d7e57c15 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~2.EXE
| MD5 | c60eb8f7c3df316b12ae7e04189cc9be |
| SHA1 | 4250de4d4ea8b5d7c651f442ed589fcafdf3c78f |
| SHA256 | c0e53970d4fc3ea6ca016cfc23a9693f5184053270c59a61240df71811775372 |
| SHA512 | a51259a047ca5dc01567235ffd61ef73c1de530a2645bbf45a083f0d8f2c18d081928be9f4074dbdeccbac58997779ec75cd5973c0c87b704f07522240ef97f1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 71cf18e3e6acb58de320bc6b08e4b10b |
| SHA1 | 85bb8175d75e9e16a4cc0cf7bf0f8f1d5c12fdd2 |
| SHA256 | 250f39ed8a6046fa16df35ed2b700eeba5fc99baf5ec84b1e52d59eea3e49190 |
| SHA512 | f9d2661797f7cee9179da492d3f50f453e2d38005eb35ecec7bf6d79f9e2d90e27b172017665ecb17e5194ff4203ce98d0ac1e2a581d2e11bb886aa82e9233d3 |
memory/2604-214-0x0000000000400000-0x000000000041B000-memory.dmp
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~3.EXE
| MD5 | 371fe80bdde71019c270f38d4c36639b |
| SHA1 | e818b457524b2a95d294adacce0d543bdc7b80c6 |
| SHA256 | a06bd428a4f8e14c959e055483860519a21b5d61c7c3d0d3a363eade34a29951 |
| SHA512 | 66322d6b282bc9838f11a5f0e3b9118fd0f4032265d54a5a2c39462cb515c757cadb7f9524d4b6f3ef46c070c5754cccfedb474208513beffef8909bbe3445ae |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3jtmndts.n2j.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/932-227-0x0000000005E50000-0x0000000005EB6000-memory.dmp
memory/932-226-0x0000000005DD0000-0x0000000005E36000-memory.dmp
memory/932-228-0x0000000005EC0000-0x0000000006214000-memory.dmp
memory/932-225-0x0000000005D30000-0x0000000005D52000-memory.dmp
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MI391D~1.EXE
| MD5 | d870e8d0f543c4443f6d0030c21534c9 |
| SHA1 | 567aafcc65a8e573ec1bb569de001340162c90a4 |
| SHA256 | 79303b97cb84d63a92d5ee1480df9e797f6905ef2d1981bb3a4f0ab68ee84172 |
| SHA512 | 7a4fa35dea6c4509f5da5ac76ce0f7f6420eec553e09dbe374afc7beda05fa5ed99a4d21ae4fa64cf2ce27c1d496e6fa2b7b063b351323bda752847b986ca327 |
C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.41\MICROS~1.EXE
| MD5 | 7c529d5c3fd4f9a4dba4365fd16c0c0b |
| SHA1 | cb8813ffdf693b50e48a476b1e4361db08882131 |
| SHA256 | 8aa5c3030e310e9fbfe38dbee646ea0d023f656df6fddde8fab8726d1ef5b2e9 |
| SHA512 | d23b2a3b60af573611659494caf3989f0b902eec601979e5e594b4c4f7f6b00764cc2a00d7dfc86a8f4a09657350cfca6192a8da23c445e9fbe4ed85520c4abc |
memory/4456-238-0x0000000005DC0000-0x0000000005DD2000-memory.dmp
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE
| MD5 | ecda5b4161dbf34af2cd3bd4b4ca92a6 |
| SHA1 | a76347d21e3bfc8d9a528097318e4b037d7b1351 |
| SHA256 | 98e7a35dd61a5eeea32ca5ff0f195b7e5931429e2e4b12d1e75ca09ddab3278f |
| SHA512 | 3cd3d64e7670ab824d36a792faa5d16a61f080d52345e07b0ef8396b2a1481876a3b30fc702bf0018a1b02c7788c3c7f1b016590c5b31485a90e3a375f11dade |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE
| MD5 | a31628879099ba1efd1b63e81771f6c7 |
| SHA1 | 42d9de49d0465c907be8ee1ef1ccf3926b8825fe |
| SHA256 | 031b0b0de72eba9350a1234eba7489bc04f94823501fc6a200266fa94b8c51dc |
| SHA512 | 0e86020f61fd08578507c3cd37385ffa2ffd964407a689b4c3d532fe4dc826eea58391f938840d18ecfa6bae79c6ece31b8f63b50366c2fa4d6ecf5194475759 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe
| MD5 | 6b7a2ce420e8dd7484ca4fa4460894ae |
| SHA1 | df07e4a085fc29168ae9ec4781b88002077f7594 |
| SHA256 | dec51011b3bd2d82c42d13f043fac935b52adeaa17427ce4e21e34fcbd2231e4 |
| SHA512 | 7d2cd278ee45ec0e14145f2be26b8cdbe3312b300aa216532c41e839ba61c12ae379025568c85634f0ec3bc95cc481bb17f99ab30c711986651569f0f1f81beb |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE
| MD5 | b8bffe8467716db4da9d94061dc33d07 |
| SHA1 | db4bac1757b1b60b26e2fef0fc88ce708efad352 |
| SHA256 | b03986224aa28f1e1850bd2fcd1a5f5f2fea34c2c0815d8e6943f0a98b754af2 |
| SHA512 | 5d6f6363c9c87c61d2be785280d420725fe7cc4b68908e78fc82dc480260a400500a84f1c9247b34437cd520d702ef5fc4546024fed891231630514d1418592c |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE
| MD5 | af9aba6ab24cba804abba88d1626b2b9 |
| SHA1 | 6a387c9ec2c06178476f8439a5a3d9149c480a9a |
| SHA256 | e6a06e738140a8cc089bc607e5f5e1e2b224b71d52e0be0d01f9deb8e9763a90 |
| SHA512 | 9e004f2eccb4e48d2c98a8168f7fe752ad3195b66f0aa1d7ec07dd5819539bc94a50ffb1deb291e7fea11932eb88fb5938b1ef0a93cd8b1902495d1f7bd2d950 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE
| MD5 | 032ee4d65b62d87cf809438556d30429 |
| SHA1 | 34458fcefe3c67f19c3d2c94389fc99e54e74801 |
| SHA256 | 0099c710e406e0423bb0b11eb4c113508c67f84a0972a2d14c038687cac1753b |
| SHA512 | 6b912d51e93f1e4756ecc5321ec08a6eb5e15413a9d9cf568bd14ce2a5199d064f6dd5c7d9d5155296d1a4ab5852c81a8fc138565fb788e7402c09b61281a5cd |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe
| MD5 | 69e1e0de795a8bf8c4884cb98203b1f4 |
| SHA1 | a17f2ba68776596e2d1593781289c7007a805675 |
| SHA256 | 2b6d153b9df86033b7a83eb4f521fd4f7aeec35dc54ef8d1ffe80f5bbd030dbb |
| SHA512 | 353b664271d0f49f94b60c7fbaf5ab6d5b8df7690383517a90ba675f750d9b28628bbd5ed92a6782879607f4c21214b15ea95fd6a5a8d6f9540a1b75ddb9e665 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE
| MD5 | 24eeb998cb16869438b95642d49ac3dd |
| SHA1 | b45aa87f45250aa3482c29b24fa4aa3d57ae4c71 |
| SHA256 | a2cfd55902b1750070e9154a90e29a10b9e6fa0c03bc82d8f198678e9bc46cd0 |
| SHA512 | 2ac6de5c3e52b31355300ff4e846ed0627d8d4af02c4c07c0886694a09237ef2ee76e004883fae76a959bef0b60bd4138a9c88ad22139c6b859786c8e37bb358 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE
| MD5 | ae390fa093b459a84c27b6c266888a7e |
| SHA1 | ad88709a7f286fc7d65559e9aee3812be6baf4b2 |
| SHA256 | 738b7b5da8ca4798043672d2a32913e0f64268c7861eecc9fcc4c7f9d440d8cd |
| SHA512 | 096b5190efefe4c5272637e0721dcd339883f551c5e0cce568ed0bd63b31fb9acef6b09d310966482dbc7a944cc7a5878b0ad6bd68c30d1871254865a1660851 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE
| MD5 | b84ae39dd0420080bd9e6b9557eea65b |
| SHA1 | 5326a058a3bcc4eb0530028e17d391e356210603 |
| SHA256 | 92439a773781fc1b4e45de7fad393bb9ccd05af99dc1a1bb2246a4befb1f5924 |
| SHA512 | 860ae09c5806622420147af1073cecc065786968737547276641af710b4caccd16b787bdf7212dd1d8ab16e257dd5c5cd20790bf000d75d82410cbd5bf7af388 |
C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE
| MD5 | fdad5d6d8cf37e8c446dcd6c56c718c3 |
| SHA1 | 412883fd3bb56f2b850d2c29ee666d9b75636faf |
| SHA256 | 2ed31146dc94132acafc7e759086f18c83560693a813b1d842a30908f50faf7c |
| SHA512 | 9866ddd370e7ab75aea143c5ede3ee96700ed662aab7fb3e989f9beedb2800b488f985a8069a61025cc8201bbc42e23d744717988587c2a8a66f2e91ea7cbbbc |
C:\PROGRA~2\Google\Update\DISABL~1.EXE
| MD5 | 2424d589d7997df1356c160a9a82088c |
| SHA1 | ca9b479043636434f32c74c2299210ef9f933b98 |
| SHA256 | 9d6982a566148cf69cb6aec417baddca680e647931315736a6c19f2ba91c4d60 |
| SHA512 | 4dd0a69c1dfb0e88fc6b24c97e14dd0ad1ac0226dd372d09123b6a2ec3c107fc94a810764d16e111d1cf7e81a23b70b84d36cbfbf1e32986d00de3cd9e315c2b |
C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE
| MD5 | 001760b2a66fb4fff1e2c42bc39e5421 |
| SHA1 | 1980cafc246e5a31b6e78bcd5eec1726c9789046 |
| SHA256 | 1ae63f874694d576e6b6c2f409a71e49cf607e62b2a7a646322294009c7b813a |
| SHA512 | a37e499451abc2b9399eafe8d866210bdaac2c73a4f1dbe16c272fa56a8b5bcb1efe41e198effb9c84a77de269cbb5b81871d88eb726f95c3d3b4067bfc0c7df |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~2.EXE
| MD5 | 78f77aff4993684fdbcad13c74d5f364 |
| SHA1 | 0b02ed9112021b3c65778fdce0642e81dfb5b628 |
| SHA256 | 9f707deff2f5b5a8c611c5926362c4ffc82f5744a4699f3fb1ee3ef6bb9b2cfb |
| SHA512 | 568c1abf5f6d13fe37cb55a5f5992dea38e30fc80812a977c0ae25ed30f67321db8f4c0da2ae4ae558e58dc430885fa13c1f7f1d6b2d6bb51ed031f042defafb |
C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE
| MD5 | a12297c17e3747647d5c29d67edd4d9a |
| SHA1 | 6a6ed9d50d8385b2fb1da6c700934bf213e1ec2d |
| SHA256 | 288f7e376d1ba967276a05a1b00fddff236315ee0df24e543cf8b604768ae7f2 |
| SHA512 | e1004b5307f26af7c22ec051539ed633105ac6673301d31a57cb530ab76551b51aa59741397d1b9fe860bed8c93c2a21d8e828edd1612750bcec1bd068898239 |
C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE
| MD5 | 6ecccb4bab82a4971897aa0bcb2f14be |
| SHA1 | 1c680d6f8ca6a0436b5935906a2d9c4699a7a412 |
| SHA256 | c661a1408b32f837e02965675400807e111dc5d43a00588011e4365dd3c24be1 |
| SHA512 | d68cae4b3c7664751bca1f73cb6b6aa0f0745bb10a76e250b9ffae82bbf2a398f17277ebe5cfd22338af9b4d4c0e0c8241eeb640bdcc0a73774612a6785ac081 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE
| MD5 | b6283a7eb554d995d9a7c72dcfca14b5 |
| SHA1 | 67d64907800c611bbcefd31d2494da12962f5022 |
| SHA256 | 099da4830adbab785d86ca4680c041458acfe798ed8b301b2bb6bd47891ed881 |
| SHA512 | a6d96a13b8672d0f1d50ac22ba95b715527050ce91bb67dc261732e0a114ef2902e3380577546ff34860f65723a143153cea47ae31e12bb27dd3f4f5ee2245f3 |
C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE
| MD5 | 48628eeb152032e8dc9af97aaaeba7cf |
| SHA1 | e826f32c423627ef625a6618e7250f7dbc4d2501 |
| SHA256 | f271af83d96b1d536e1a1788ec0baa0c3c583ddfe61faceccaeec1470c5676ca |
| SHA512 | 18a2a247177d04d5b1b56d126d72e29b02c8378e8aa4c89bdbaefe14bcd577d7aa054b05a5db37d142a37cf869f3bc03fe9a5bba4886a52d6c2ede5052dfcc7d |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe
| MD5 | 7aac73055860fcd079d9407cab08276d |
| SHA1 | 482b9f337d60270c95950353f9ca8929d8926b1d |
| SHA256 | 97508a81b805937e1ca57711a51d2e8d715a2748e2f9d27d39dfecc28f3fb9e5 |
| SHA512 | f183a10eb13c083c7cd8e785a7978eee4998c33d1eb104a0ab0e54146e10651f68612249e668baa08919a5840f6f929b5452c93f71a232b30aab9e2857109fb5 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe
| MD5 | de9e6086062f01926b48c2d80508d12b |
| SHA1 | 13610cca5e38925e22b6a79067df0dd9eca49fe3 |
| SHA256 | d2f956514bc885fed054dec3ad4c0e89e59a6a38390fa8432abd15eb201468b4 |
| SHA512 | 60478e55b6a3d49686ed8e95e939a2384fb1440950d710e7beedb9eda24be0e6996c931d0703d6cc0065fbe5a85eff463b9e9eaadf14746593abe723636137c3 |
C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe
| MD5 | 62976c65ded41b4f31c7f379c548e05c |
| SHA1 | 3827c414ad15cd67ea8635400002c4c79704250e |
| SHA256 | 80de06ea5d221e21f765a96750f821aaaf8eee23bfd9d8cde265a8da11041c66 |
| SHA512 | ddf74814c7a54a258b7200310bd644547f3a831e373c8392dddedd08b3c1ca60e864fbe2007e68fabdcfe1e923d9207039bde42a09e0ec07d69694263057fcd7 |
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe
| MD5 | e115eb174536d5fbcf5164232c89c25d |
| SHA1 | 5879354de61734962d39d13316d1fe028389cc16 |
| SHA256 | 57329b38314923c17e9dd9e153e894708389dd597fcb1438d5291c7627238653 |
| SHA512 | 69696a2e842e0557a57ec4d12c31d5afde0cdfb80d6028ad8d9b0b59d558ad6eaf043c9da0d31c43b16b4f12894dcea69db9366772c49c758773e6c35a9fb0c5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE
| MD5 | dc6f9d4b474492fd2c6bb0d6219b9877 |
| SHA1 | 85f5550b7e51ecbf361aaba35b26d62ed4a3f907 |
| SHA256 | 686bec325444e43232fb20e96365bb1f1eb7c47a4e4ce246fc900d3a9784d436 |
| SHA512 | 1e9c2dfeada91e69ee91cd398145e4044bd5788a628b89441c8c6ff4067ba0a399124197fd31dad26ccb76a4d866ad99918ba8e1549983be967d31b933ad9780 |
C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe
| MD5 | ead399a43035cf6544c96d014436fc9a |
| SHA1 | c8ef64abb6c56cbd02e851a98214620459c8b947 |
| SHA256 | 38b06ee250af6554e6740a1bb7acfb77b99ccdb8081880e01c386afa98668766 |
| SHA512 | 6fa46a36c17c9496c18843e04d78d5146cdea173a74acacd9b7c63d220c49fa3a1acb65f91fe7214a1ae82ebf63fb5366beecd7f9e0aeee0cbab5d1bd0aa6d14 |
memory/932-239-0x0000000006380000-0x000000000639E000-memory.dmp
memory/932-240-0x00000000063C0000-0x000000000640C000-memory.dmp
C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE
| MD5 | 961c73fd70b543a6a3c816649e5f8fce |
| SHA1 | 8dbdc7daeb83110638d192f65f6d014169e0a79b |
| SHA256 | f94ddaf929fb16d952b79c02e78439a10dd2faa78f7f66b7d52de2675e513103 |
| SHA512 | e5d97ee63b02abc65add41f6721514515b34fd79f7db23ae04cf608c2f7e0504e00b07694047b982d14d60cccf6f833b50268c693e3baf1b697d3370c0bba0b6 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE
| MD5 | 3ccfc6967bcfea597926999974eb0cf9 |
| SHA1 | 6736e7886e848d41de098cd00b8279c9bc94d501 |
| SHA256 | a89d3e2109a8e35e263da363d3551258ea320a99bfb84a4b13ad563008eda8d9 |
| SHA512 | f550af4e053d89eff45c0fb00bb32e8d212645a155727d3536a3f12bb0b5550bed25516516334245b912fa4fc2e4e7c267e80da4f06d22ea128f20eb56ab4351 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE
| MD5 | 2e989da204d9c4c3e375a32edf4d16e7 |
| SHA1 | e8a0bf8b4ae4f26e2af5c1748de6055ba4308129 |
| SHA256 | cae320401aa01a3cef836c191c2edbd7a96bfcce9efad1a21880626a64cc4dec |
| SHA512 | 3ebf71578bef909d9411c131d0ccd38ead68cba01a8e0f845d08faa012ca2136476fe09a2859ed846641f80b7a2d9b78d49c709065a52c6b9ee149edf84c8c4f |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE
| MD5 | c4a918069757a263adb9fbc9f5c9e00d |
| SHA1 | 66d749fc566763b6170080a40f54f4cda4644af4 |
| SHA256 | 129a2bfe25ceabb871b65b645ef98f6799d7d273fc5ddfd33c1cb78f5b76fa3b |
| SHA512 | 4ecf32fa2c8f53ff7a08555ec5d37739dc1358352621d038669f608edf18b0dcc6dca168a2b602359c9ee098052e546e5c02603f83aad44a114192138de7b7b9 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe
| MD5 | 514972e16cdda8b53012ad8a14a26e60 |
| SHA1 | aa082c2fbe0b3dd5c47952f9a285636412203559 |
| SHA256 | 49091e1e41980b39d8de055fe6c6a1dc69398f17817960d64743e7efb740efc4 |
| SHA512 | 98bbd6f06e3ff3e94aee3620f20f89e254dde157bc8129a64cf78fefe5cf9b13c7902128c2acbd54b3def527e09a039bd1f66ba64efb85f3f0404d894cabbee4 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE
| MD5 | 4ab023aa6def7b300dec4fc7ef55dbe7 |
| SHA1 | aa30491eb799fa5bdf79691f8fe5e087467463f1 |
| SHA256 | 8ca27077312716f79f39309156c905719a908e8ded4bf88c2ba6fa821e574673 |
| SHA512 | 000e33cc2399efa9dc56c06a42f91eb64b94f30b78cf260469f45f3b876f518d2d2b62e33d8f697660ae560d595e5bd5b7a5f847c316d5f97adeb3d8f9248ab5 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe
| MD5 | 66a77a65eea771304e524dd844c9846a |
| SHA1 | f7e3b403439b5f63927e8681a64f62caafe9a360 |
| SHA256 | 9a7391267ab83b45a47d9fcf1e0f76002ed6640ed6a574ba51373410b94812f6 |
| SHA512 | 3643ad1036075305d76dfd753b1ed29ae611b4b9f397b2520f95b1487e85155a111adc83578db8ca5d0fd1e9fe146d018e22f572c187ef468eab8d11d48fc7f4 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE
| MD5 | 3e4c1ecf89d19b8484e386008bb37a25 |
| SHA1 | a9a92b63645928e8a92dc395713d3c5b921026b7 |
| SHA256 | 1ebe469c94c2c2a5acbc3927cef19dbe2f583ba3651a55623633891c4c05cc22 |
| SHA512 | 473d03abbb61609749a176a0724e427599a4f4707d72a74ed457b2198098f59fdf64b5394798db82f4064dfe964083d70af6a50a5fa2ab2674c77a99792e4e52 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe
| MD5 | 3da833f022988fbc093129595cc8591c |
| SHA1 | fdde5a7fb7a60169d2967ff88c6aba8273f12e36 |
| SHA256 | 1ad4c736829dbcb0fcc620fd897fe0941b9c01e14ccba5d18085b3ca0416ab66 |
| SHA512 | 1299d63337c958e8072d6aaa057904cbbaa51c2eec4457269ead6b72c4eb2a10882e4a5dc7afcdcab5a6910d2105c2e5ee706850074e0425ae7f87d9ea1e5537 |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE
| MD5 | ef63e5ccbea2788d900f1c70a6159c68 |
| SHA1 | 4ac2e144f9dd97a0cd061b76be89f7850887c166 |
| SHA256 | a46d1ffbe9114015050b2a778859c26248f8bab22d5d1a302b59373bc20c6b45 |
| SHA512 | 913371abb54e0adc94aa08372a20f07ced9f9fdc170f9e468cd39c7387c7e30c1ae238148ccf355d5c8b88b7fd63f914bb108c6cafca9a791d02d8b36468bfac |
C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe
| MD5 | 124147ede15f97b47224628152110ce2 |
| SHA1 | 4530fee9b1199777693073414b82420a7c88a042 |
| SHA256 | 3e815d583236b9cecd912fcc949a301d1e51b609cbb53a2285d08feea305edcd |
| SHA512 | f4c2825380d1bb9ca889d5c5684f13aa0cacb0d6511f6409ca0972a7191195a0175e00c995407848bf09ea03cff05c7395952bf2ffd2af2015b8939f75a8e627 |
memory/2992-241-0x0000000000400000-0x000000000041B000-memory.dmp
memory/932-243-0x000000006FBC0000-0x000000006FC0C000-memory.dmp
memory/4740-254-0x000000006FBC0000-0x000000006FC0C000-memory.dmp
memory/932-255-0x0000000007580000-0x0000000007623000-memory.dmp
memory/932-253-0x0000000006920000-0x000000000693E000-memory.dmp
memory/932-242-0x0000000006940000-0x0000000006972000-memory.dmp
memory/932-266-0x00000000076A0000-0x00000000076BA000-memory.dmp
memory/932-265-0x0000000007CE0000-0x000000000835A000-memory.dmp
memory/4740-267-0x0000000007010000-0x000000000701A000-memory.dmp
memory/4740-268-0x0000000007220000-0x00000000072B6000-memory.dmp
memory/932-269-0x00000000078A0000-0x00000000078B1000-memory.dmp
memory/4740-270-0x00000000071D0000-0x00000000071DE000-memory.dmp
memory/4740-271-0x00000000071E0000-0x00000000071F4000-memory.dmp
memory/4740-272-0x00000000072E0000-0x00000000072FA000-memory.dmp
memory/4740-273-0x00000000072C0000-0x00000000072C8000-memory.dmp
memory/3896-278-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2992-277-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2992-281-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3896-280-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | c2b924a755022d340350d6489047a889 |
| SHA1 | 78f843ebd696be30470b8dbcd010b7a8f3190c5e |
| SHA256 | 83a600cbf99c3693a07feb28a55ba1a17536add8bc5e667c7db93d25d5634c93 |
| SHA512 | cf038c60b70f43c8e2cc52f37cf722052f4ff0485ece39a67f3de064e41b98f16e7a8b88b9b98f7d831932799f7910eb843076897151f747ca8d45bff56ef64e |
memory/1164-289-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4356-298-0x0000000000400000-0x000000000041B000-memory.dmp
memory/536-304-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 16fd86a41e417eb6edf1d305c0355af1 |
| SHA1 | c0deb377b7234eb8b3f9dedb2be32ff34c18c938 |
| SHA256 | 476632e3310f81bef6203c463ae03d838b823e093d2f849765aefae10bec2f22 |
| SHA512 | 338875d18b4cae6c1e92eecd84ea87e4f8fe03def0c35178e9185c0eda9a97d3dc8badd2a1ef8c9d8e85739cafa09729eb011499404b583941c51621b3afc3a7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | c2f8a0108f877d27cd9b1c61b822ccdd |
| SHA1 | dcc92dac3155288d5422b9ea515d1e273813a567 |
| SHA256 | 11becccd71a50f9529327472e5d741b194ca7ed95c6ebd0bf5b53b1b02ce7928 |
| SHA512 | 38af35adf3d3cb1529803da7d5368306b776e3bd35c805429d09b83db809564d505b8ea6069ac65eb7b958e15d5ec16679ef7338658d8513fba3e8b8c3929629 |
memory/3992-334-0x0000000005B70000-0x0000000005EC4000-memory.dmp
memory/1400-344-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3992-345-0x0000000006550000-0x000000000659C000-memory.dmp
memory/3500-346-0x0000000074620000-0x000000007466C000-memory.dmp
memory/3992-356-0x0000000074620000-0x000000007466C000-memory.dmp
memory/3500-366-0x0000000007A60000-0x0000000007B03000-memory.dmp
memory/3500-367-0x0000000007D50000-0x0000000007D61000-memory.dmp
memory/3500-368-0x0000000007D90000-0x0000000007DA4000-memory.dmp
memory/2456-393-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3020-387-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2292-378-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 970861e09c55a7db85a91f69e54a3efd |
| SHA1 | 552575920c25d2853c4863ce3437c6495b0d9454 |
| SHA256 | 81fac62700a0f23a18bff33592e0ad45869ddfc623d08db38ef9915f9fac1390 |
| SHA512 | 46a7bfc63b2306d9499bedd51659debea91d9df3fd1210d8446e2a643a2afe7525a23c7380f4dfb88b9dc1ef57fa142f303819d84ab662852921960062e1fcbf |
memory/2680-419-0x0000000005730000-0x0000000005A84000-memory.dmp
memory/4668-425-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2680-430-0x0000000005DB0000-0x0000000005DFC000-memory.dmp
memory/3984-431-0x0000000074C90000-0x0000000074CDC000-memory.dmp
memory/2680-441-0x0000000074C90000-0x0000000074CDC000-memory.dmp
memory/3984-451-0x00000000075D0000-0x0000000007673000-memory.dmp
memory/3984-452-0x00000000078B0000-0x00000000078C1000-memory.dmp
memory/3984-453-0x00000000078F0000-0x0000000007904000-memory.dmp
memory/908-463-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2952-478-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1008-477-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | e6ad1634f27dcfb584a14c79b9441733 |
| SHA1 | 309059e32ba075b3426b986d450ee358f4278d9f |
| SHA256 | 744c7988c09599917d699063982e691c5fbc0691b5504c21006c05b6126b007c |
| SHA512 | bedd97b8b307af1098c31caec24d04e5a0c98915bebac848aafcaa7a93e1a517d2626d66ea7d539113b20d2d6b4449bc3e35627d01767780a5e442f685870750 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | ae012b10c8426f306b8f7ec04a0ef683 |
| SHA1 | 28bc178b15aebfc3a22f1c25459e6d70d0e50ddc |
| SHA256 | 30127ade2da32f3e082a1ccc2eabe504c0a45d1dbf1c11d490cf509c302d4597 |
| SHA512 | cc8c258d77897eee88ba5d6d5ed9b32357193e6b37443ebc13c998857c32cdb73a4508060a76872165dd35330f6eaf1cad64a90f4e2ace9a265ac305449fd525 |
memory/4224-498-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2180-516-0x0000000006160000-0x00000000064B4000-memory.dmp
memory/2180-518-0x00000000066E0000-0x000000000672C000-memory.dmp
memory/2180-519-0x00000000741E0000-0x000000007422C000-memory.dmp
memory/2180-529-0x00000000078E0000-0x0000000007983000-memory.dmp
memory/728-530-0x00000000741E0000-0x000000007422C000-memory.dmp
memory/2180-540-0x0000000007BA0000-0x0000000007BB1000-memory.dmp
memory/2180-541-0x0000000007BE0000-0x0000000007BF4000-memory.dmp
memory/3896-551-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD5E9.tmp
| MD5 | 6bd29c23d4fd5216caf7ea08408d57b9 |
| SHA1 | 06ff6ad6acba395c906be9e48f2d134eed11610d |
| SHA256 | 82344290366c3e080ec892e3bdd182fa153840c258a27e31fdff45ea6409442c |
| SHA512 | a707ac8efc23cad42b32f25f2cd04f74559851aa08c3e7c10ae83fb3ed15381dd66859d3105d3382c7af2f24246eb023803a5783670d4e6602518b9884befb4c |
memory/1572-560-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1492-566-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Windows\directx.sys
| MD5 | f8cae6849d7f2d680da8749e6bf13cef |
| SHA1 | e5b78226b6cb174c8d1308350d6061c90fdf4320 |
| SHA256 | 1c09234b3e0894ee6198b989cfaa938963e87425cc955747f1dfbb13f564a91f |
| SHA512 | 2bef888d3f329d7f55168746e52d53b866eb62886d8225e75e70e1ad208efefda3155ee8af16dc1c9cb602ab618e804a484bf4791e068c8ee614131c6268d1db |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6cdf52264d8662efe314dc934c43d7c8 |
| SHA1 | cfceed8f063afdf8190e98a4d833e32a014a7ff6 |
| SHA256 | d714abb1e937f517a6a8ed279fc46a3d72ab7b921314aaf742a592e10459ddb4 |
| SHA512 | 6e1a7b14ab4a4f94254c0feba838ad67194656a330a83f4a8df9af935e76ee6aa1991fa22b950fc4b3850ae5441c3324e7ce0382e764042e5ce8097b13a4b538 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 59ce14cb469b643419d8839fed458a4b |
| SHA1 | b8991fda4a42ebbc7e46e42aa92f379233f26693 |
| SHA256 | 4d582160ae73819a478ce67875fecdbb9cb4b95ad708aac36d47e68809f452fa |
| SHA512 | 9601c4262f0ad4b7ce95cf2e3f1450ee662235ff0b260432df45179daf2501ee0a800aa95c8815751a9a4f92bd348623c6457effd471c7db5c7b50076a3167b2 |
memory/3696-595-0x0000000000400000-0x000000000041B000-memory.dmp
memory/5012-596-0x00000000059A0000-0x0000000005CF4000-memory.dmp
memory/1708-606-0x0000000005620000-0x0000000005632000-memory.dmp
memory/5012-607-0x0000000006450000-0x000000000649C000-memory.dmp
memory/5012-608-0x0000000074BF0000-0x0000000074C3C000-memory.dmp
memory/5012-618-0x00000000070E0000-0x0000000007183000-memory.dmp
memory/4624-619-0x0000000074BF0000-0x0000000074C3C000-memory.dmp
memory/5012-629-0x00000000073C0000-0x00000000073D1000-memory.dmp
memory/5012-630-0x0000000007400000-0x0000000007414000-memory.dmp
memory/4288-640-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4940-649-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2796-655-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | d9cc7951ac13aa73d9c6486fdb7db8c3 |
| SHA1 | 1e00abbd2a73ef0442c5601cb01ab414a41c52bf |
| SHA256 | ce931d7d0ad25371e85285ccc7bc624b55635b8d18649dfdf7e1e4ff5e09cbeb |
| SHA512 | b1fb1da201b11d0d0389c3bebf07a2920a57198a5fb481c827b554f3689cd8f0e294d07bd6b75d2296b0078c0ce2844fc824e7375ee54b7ae9492b9e5959a376 |
memory/1624-680-0x0000000006110000-0x0000000006464000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 6edb02534e2f66e84e2a366e2bdc82db |
| SHA1 | 08038de3bff144d8367985e2567f947bbc98bad9 |
| SHA256 | aae9c53f8349e29d19dc3fda258242cfc40d38d88fe85983bbeeb735d0f1452f |
| SHA512 | bfb04c71ed2e9228aa9578cbaff21ed0b7b7934891224c8b9f6c8bc56fc069af6aeecf30f76acf39f7b0b233a7aa7a0358a24eb10402bad668c532b11ff4a0bc |
memory/3324-685-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1624-695-0x0000000006810000-0x000000000685C000-memory.dmp
memory/1624-696-0x00000000748B0000-0x00000000748FC000-memory.dmp
memory/1624-706-0x0000000007A00000-0x0000000007AA3000-memory.dmp
memory/1716-707-0x00000000748B0000-0x00000000748FC000-memory.dmp
memory/1624-717-0x0000000007CD0000-0x0000000007CE1000-memory.dmp
memory/1624-718-0x0000000007D30000-0x0000000007D44000-memory.dmp
memory/3504-728-0x0000000000400000-0x000000000041B000-memory.dmp
memory/4748-737-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1952-743-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 0526c0f56031baaf8acadbb3cdfee076 |
| SHA1 | 6acd9198020c65f9a146230d573f85492c49c249 |
| SHA256 | f35d9442a071376e9ea9743c1c7c54c638f825e08d4892a63aa99cf1b275da96 |
| SHA512 | 71c81f2e5a02e28c9061e99e06c54445cc3cbc2fc43a82d5613143ab5d579f15e4d34e02f09b9af7f349fc70637c8ca7363ae2da86f16da40e0292ec130a39ad |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | ed67071ba984025d27ead4b7562284aa |
| SHA1 | ac4f0b52e74a97c87fd20e7df9b021edea92edb5 |
| SHA256 | b7bec274903e9d69c0aa470798f031d6e0ac281968a593cb5590bf90a0208d0e |
| SHA512 | 0eb49635a140768db70deae93abcf7978c277eff79e68827019f1c1b43693fa7e91d36bf66548fac918cdbc94c3dae34dc5e28055ea0e96f90fc8894d0577511 |
memory/3856-772-0x0000000000400000-0x000000000041B000-memory.dmp
memory/2812-773-0x0000000005BE0000-0x0000000005F34000-memory.dmp
memory/2812-783-0x00000000065A0000-0x00000000065EC000-memory.dmp
memory/2812-784-0x0000000074830000-0x000000007487C000-memory.dmp
memory/2812-794-0x0000000007250000-0x00000000072F3000-memory.dmp
memory/448-795-0x0000000074830000-0x000000007487C000-memory.dmp
memory/2812-805-0x0000000007530000-0x0000000007541000-memory.dmp
memory/2812-806-0x0000000007580000-0x0000000007594000-memory.dmp
memory/864-817-0x0000000000400000-0x000000000041B000-memory.dmp
memory/908-825-0x0000000000400000-0x000000000041B000-memory.dmp
memory/3772-831-0x0000000000400000-0x000000000041B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 271d1c0d6fe3e20f2b9b23298ea81796 |
| SHA1 | 6134c3d2ec1448ba25ca80b3acf58a0c8c223a27 |
| SHA256 | b635244769e234bdbdca5d5723118b34cb54fc39483c6ae00df1223030ab8f3e |
| SHA512 | 72286aea50d14b975d3682e823d497c6abcc5cb2e37e294d1c30aa7a1bdeba3909b05c9d8377acfeedbd51989abbc0a0fba5b27fcafe264b7c7bfa2d12a7c4cb |
memory/1708-851-0x0000000006200000-0x0000000006554000-memory.dmp
memory/4680-870-0x0000000000400000-0x000000000041B000-memory.dmp
memory/1144-871-0x00000000067D0000-0x000000000681C000-memory.dmp
memory/1144-872-0x0000000074590000-0x00000000745DC000-memory.dmp
memory/1708-882-0x0000000074590000-0x00000000745DC000-memory.dmp
memory/1144-892-0x00000000079E0000-0x0000000007A83000-memory.dmp
memory/1144-893-0x0000000007CD0000-0x0000000007CE1000-memory.dmp
memory/1144-894-0x0000000007D10000-0x0000000007D24000-memory.dmp