General Info

File name

b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5

Full analysis
https://app.any.run/tasks/8c13f19e-473b-42dc-bfee-ffe50f27d3bc
Verdict
Malicious activity
Analysis date
3/14/2019, 11:13:39
OS:
Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:

MIME:
application/x-dosexec
File info:
PE32 executable (GUI) Intel 80386, for MS Windows
MD5

a00d232d18b5e18ecec1de4fa452e910

SHA1

08a979cd93583a44bb813bbac3e73346b6110d14

SHA256

b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5

SSDEEP

98304:m7sFSNYIYbE9WlSIViIpLlingPpjvB8s54HrR+OE3B7p7jnDH+lc/K1tahgIdQKQ:m7RY/hEIVp7+wGs54M39pn7gHaL5+hp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distored by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Software environment set and analysis options

Launch configuration

Task duration
60 seconds
Additional time used
none
Fakenet option
off
Heavy Evaision option
on
MITM proxy
off
Route via Tor
off
Network geolocation
off
Privacy
Public submission
Autoconfirmation of UAC
on

Software preset

  • Internet Explorer 8.0.7601.17514
  • Adobe Acrobat Reader DC MUI (15.023.20070)
  • Adobe Flash Player 26 ActiveX (26.0.0.131)
  • Adobe Flash Player 26 NPAPI (26.0.0.131)
  • Adobe Flash Player 26 PPAPI (26.0.0.131)
  • Adobe Refresh Manager (1.8.0)
  • CCleaner (5.35)
  • FileZilla Client 3.36.0 (3.36.0)
  • Google Chrome (68.0.3440.106)
  • Google Update Helper (1.3.33.17)
  • Java 8 Update 92 (8.0.920.14)
  • Java Auto Updater (2.8.92.14)
  • Microsoft .NET Framework 4.6.1 (4.6.01055)
  • Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Professional 2010 (14.0.6029.1000)
  • Microsoft Office Proof (English) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (French) 2010 (14.0.6029.1000)
  • Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
  • Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
  • Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Office Single Image 2010 (14.0.6029.1000)
  • Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
  • Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
  • Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
  • Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
  • Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
  • Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
  • Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
  • Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
  • Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
  • Notepad++ (32-bit x86) (7.5.1)
  • Opera 12.15 (12.15.1748)
  • Skype version 8.29 (8.29)
  • VLC media player (2.2.6)
  • WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

  • Client LanguagePack Package
  • Client Refresh LanguagePack Package
  • CodecPack Basic Package
  • Foundation Package
  • IE Troubleshooters Package
  • InternetExplorer Optional Package
  • KB2534111
  • KB2999226
  • KB976902
  • LocalPack AU Package
  • LocalPack CA Package
  • LocalPack GB Package
  • LocalPack US Package
  • LocalPack ZA Package
  • ProfessionalEdition
  • UltimateEdition

Behavior activities

MALICIOUS SUSPICIOUS INFO
Executes PowerShell scripts
  • cmd.exe (PID: 3776)
  • cmd.exe (PID: 964)
  • cmd.exe (PID: 3740)
  • cmd.exe (PID: 2172)
Loads dropped or rewritten executable
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2964)
  • rundll32.exe (PID: 4056)
  • rundll32.exe (PID: 3680)
  • NTJjOGRkMz.exe (PID: 2364)
Application was dropped or rewritten from another process
  • nsEDED.tmp (PID: 3212)
  • nsFB22.tmp (PID: 3488)
  • nsFBF7.tmp (PID: 3292)
  • nsF169.tmp (PID: 3284)
  • nsFAA4.tmp (PID: 3340)
  • nsFE88.tmp (PID: 3596)
  • nsA09.tmp (PID: 3160)
  • ns99A.tmp (PID: 4064)
  • nsB72.tmp (PID: 2084)
  • nsA87.tmp (PID: 2264)
  • nsC5F.tmp (PID: 3644)
  • nsCDD.tmp (PID: 2704)
  • nsBE1.tmp (PID: 2588)
  • ns181A.tmp (PID: 2788)
  • ns1E84.tmp (PID: 3940)
  • ns1B09.tmp (PID: 2528)
  • NTJjOGRkMz.exe (PID: 3096)
  • ns1F7F.tmp (PID: 2420)
  • ns21F1.tmp (PID: 3180)
  • NTJjOGRkMz.exe (PID: 2240)
  • ns24F0.tmp (PID: 3208)
  • NTJjOGRkMz.exe (PID: 2588)
  • NTJjOGRkMz.exe (PID: 2364)
  • NTJjOGRkMz.exe (PID: 3012)
  • NTJjOGRkMz.exe (PID: 2548)
Starts NET.EXE for service management
  • nsFB22.tmp (PID: 3488)
Changes settings of System certificates
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
  • NTJjOGRkMz.exe (PID: 2240)
Connects to CnC server
  • NTJjOGRkMz.exe (PID: 2240)
Executable content was dropped or overwritten
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2964)
  • NTJjOGRkMz.exe (PID: 3096)
Creates files in the user directory
  • powershell.exe (PID: 3972)
  • powershell.exe (PID: 1324)
  • NTJjOGRkMz.exe (PID: 2364)
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
Starts application with an unusual extension
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2964)
Starts CMD.EXE for commands execution
  • nsEDED.tmp (PID: 3212)
  • nsF169.tmp (PID: 3284)
  • nsFBF7.tmp (PID: 3292)
  • nsFE88.tmp (PID: 3596)
Creates files in the program directory
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2964)
  • NTJjOGRkMz.exe (PID: 2240)
Starts SC.EXE for service management
  • nsFAA4.tmp (PID: 3340)
  • ns99A.tmp (PID: 4064)
  • NTJjOGRkMz.exe (PID: 3096)
  • ns1E84.tmp (PID: 3940)
  • ns1F7F.tmp (PID: 2420)
  • ns24F0.tmp (PID: 3208)
  • NTJjOGRkMz.exe (PID: 3012)
Removes files from Windows directory
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2964)
  • NTJjOGRkMz.exe (PID: 2240)
Uses REG.EXE to modify Windows registry
  • nsA09.tmp (PID: 3160)
  • nsA87.tmp (PID: 2264)
  • nsB72.tmp (PID: 2084)
  • nsC5F.tmp (PID: 3644)
  • nsBE1.tmp (PID: 2588)
  • nsCDD.tmp (PID: 2704)
Creates files in the Windows directory
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2964)
  • NTJjOGRkMz.exe (PID: 3096)
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
  • NTJjOGRkMz.exe (PID: 2240)
Changes tracing settings of the file or console
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
Creates or modifies windows services
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
Adds / modifies Windows certificates
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
Creates files in the driver directory
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
Application launched itself
  • NTJjOGRkMz.exe (PID: 2240)
  • rundll32.exe (PID: 4056)
Creates a software uninstall entry
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)
Uses RUNDLL32.EXE to load library
  • rundll32.exe (PID: 4056)
Dropped object may contain Bitcoin addresses
  • b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe (PID: 2156)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Static information

TRiD
.exe
|   Win32 Executable MS Visual C++ (generic) (42.2%)
.exe
|   Win64 Executable (generic) (37.3%)
.dll
|   Win32 Dynamic Link Library (generic) (8.8%)
.exe
|   Win32 Executable (generic) (6%)
.exe
|   Generic Win/DOS Executable (2.7%)
EXIF
EXE
MachineType:
Intel 386 or later, and compatibles
TimeStamp:
2010:12:07 14:21:18+01:00
PEType:
PE32
LinkerVersion:
10
CodeSize:
28672
InitializedDataSize:
4119040
UninitializedDataSize:
16896
EntryPoint:
0x3899
OSVersion:
5
ImageVersion:
6
SubsystemVersion:
5
Subsystem:
Windows GUI
Summary
Architecture:
IMAGE_FILE_MACHINE_I386
Subsystem:
IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:
07-Dec-2010 13:21:18
Detected languages
English - United States
DOS Header
Magic number:
MZ
Bytes on last page of file:
0x0090
Pages in file:
0x0003
Relocations:
0x0000
Size of header:
0x0004
Min extra paragraphs:
0x0000
Max extra paragraphs:
0xFFFF
Initial SS value:
0x0000
Initial SP value:
0x00B8
Checksum:
0x0000
Initial IP value:
0x0000
Initial CS value:
0x0000
Overlay number:
0x0000
OEM identifier:
0x0000
OEM information:
0x0000
Address of NE header:
0x000000D0
PE Headers
Signature:
PE
Machine:
IMAGE_FILE_MACHINE_I386
Number of sections:
6
Time date stamp:
07-Dec-2010 13:21:18
Pointer to Symbol Table:
0x00000000
Number of symbols:
0
Size of Optional Header:
0x00E0
Characteristics
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_EXECUTABLE_IMAGE
Sections
Name Virtual Address Virtual Size Raw Size Charateristics Entropy
.text 0x00001000 0x00006F1C 0x00007000 IMAGE_SCN_CNT_CODE,IMAGE_SCN_MEM_EXECUTE,IMAGE_SCN_MEM_READ 6.52395
.rdata 0x00008000 0x00002A62 0x00002C00 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.39054
.data 0x0000B000 0x003E66DC 0x00000200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 1.43086
.ndata 0x003F2000 0x00145000 0x00000000 IMAGE_SCN_CNT_UNINITIALIZED_DATA,IMAGE_SCN_MEM_READ,IMAGE_SCN_MEM_WRITE 0
.rsrc 0x00537000 0x00009168 0x00009200 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_READ 4.39929
.reloc 0x00541000 0x01C7620E 0x00003400 IMAGE_SCN_CNT_INITIALIZED_DATA,IMAGE_SCN_MEM_DISCARDABLE,IMAGE_SCN_MEM_READ 4.46399
Resources
1

2

3

4

102

103

104

105

106

110

111

Imports
    KERNEL32.dll

    USER32.dll

    GDI32.dll

    SHELL32.dll

    ADVAPI32.dll

    COMCTL32.dll

    ole32.dll

    VERSION.dll

Exports

    No exports.

Screenshots

Processes

Total processes
108
Monitored processes
54
Malicious processes
14
Suspicious processes
3

Behavior graph

+
drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start start drop and start drop and start b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe no specs b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe nseded.tmp no specs cmd.exe no specs powershell.exe no specs nsf169.tmp no specs cmd.exe no specs powershell.exe no specs nsfaa4.tmp no specs sc.exe no specs nsfb22.tmp no specs net.exe no specs net1.exe no specs b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe nsfbf7.tmp no specs cmd.exe no specs powershell.exe no specs nsfe88.tmp no specs cmd.exe no specs powershell.exe no specs ns99a.tmp no specs sc.exe no specs nsa09.tmp no specs reg.exe no specs nsa87.tmp no specs reg.exe no specs nsb72.tmp no specs reg.exe no specs nsbe1.tmp no specs reg.exe no specs nsc5f.tmp no specs reg.exe no specs nscdd.tmp no specs reg.exe no specs ns181a.tmp no specs ns1b09.tmp no specs ntjjogrkmz.exe sc.exe no specs sc.exe no specs ns1e84.tmp no specs sc.exe no specs ns1f7f.tmp no specs sc.exe no specs ns21f1.tmp no specs ntjjogrkmz.exe no specs ns24f0.tmp no specs sc.exe no specs ntjjogrkmz.exe ntjjogrkmz.exe no specs ntjjogrkmz.exe no specs ntjjogrkmz.exe no specs sc.exe no specs rundll32.exe no specs rundll32.exe no specs
Specs description
Program did not start
Integrity level elevation
Task сontains an error or was rebooted
Process has crashed
Task contains several apps running
Executable file was dropped
Debug information is available
Process was injected
Network attacks were detected
Application downloaded the executable file
Actions similar to stealing personal data
Behavior similar to exploiting the vulnerability
Inspected object has sucpicious PE structure
File is detected by antivirus software
CPU overrun
RAM overrun
Process starts the services
Process was added to the startup
Behavior similar to spam
Low-level access to the HDD
Probably Tor was used
System was rebooted
Connects to the network
Known threat

Process information

Click at the process to see the details.

PID
3736
CMD
"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe"
Path
C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
Indicators
No indicators
Parent process
––
User
admin
Integrity Level
MEDIUM
Exit code
3221226540
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
c:\systemroot\system32\ntdll.dll

PID
2156
CMD
"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe"
Path
C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
Indicators
Parent process
––
User
admin
Integrity Level
HIGH
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\profapi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\users\admin\appdata\local\temp\nspedec.tmp\nsexec.dll
c:\users\admin\appdata\local\temp\nspedec.tmp\nseded.tmp
c:\users\admin\appdata\local\temp\nspedec.tmp\nsf169.tmp
c:\users\admin\appdata\local\temp\nspedec.tmp\zcqaruuyswj.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\authz.dll
c:\windows\system32\p2pgraph.dll
c:\windows\system32\esent.dll
c:\windows\system32\slc.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\psapi.dll
c:\users\admin\appdata\local\temp\nspedec.tmp\fqevgaubjgl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\system32\resutils.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\winfax.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dwmapi.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\system.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ipconfig.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\md5dll.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\simplesc.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsiscrypt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsexec.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsfaa4.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsfb22.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\brh.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\pdh.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns99a.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsa09.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsa87.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsb72.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsbe1.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsc5f.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nscdd.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\inetc.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\normaliz.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\schannel.dll
c:\windows\system32\rasapi32.dll
c:\windows\system32\rasman.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\nlaapi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\credssp.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\moreinfo.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsislist.dll
c:\windows\system32\riched20.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns181a.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns1b09.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns1e84.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns1f7f.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns21f1.tmp
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns24f0.tmp

PID
3212
CMD
"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsEDED.tmp" cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\""
Path
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsEDED.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nspedec.tmp\nseded.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3776
CMD
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\""
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
nsEDED.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3972
CMD
powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\atl.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
3284
CMD
"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsF169.tmp" cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\""
Path
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsF169.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nspedec.tmp\nsf169.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3740
CMD
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\""
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
nsF169.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
1324
CMD
powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shdocvw.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
3340
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFAA4.tmp" sc create -- binPath= ""C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe" /wl 1"
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFAA4.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsfaa4.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2836
CMD
sc create -- binPath= ""C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe" /wl 1"
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
nsFAA4.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3488
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFB22.tmp" net start --
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFB22.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
2
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsfb22.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\net.exe

PID
4048
CMD
net start --
Path
C:\Windows\system32\net.exe
Indicators
No indicators
Parent process
nsFB22.tmp
User
admin
Integrity Level
HIGH
Exit code
2
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\net.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\mpr.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\net1.exe

PID
2452
CMD
C:\Windows\system32\net1 start --
Path
C:\Windows\system32\net1.exe
Indicators
No indicators
Parent process
net.exe
User
admin
Integrity Level
HIGH
Exit code
2
Version:
Company
Microsoft Corporation
Description
Net Command
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
c:\windows\system32\logoncli.dll
c:\windows\system32\browcli.dll
c:\windows\system32\samcli.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\samlib.dll
c:\windows\system32\ntdsapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\netmsg.dll

PID
2964
CMD
C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe /wl 1
Path
C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Exit code
2
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\version.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\propsys.dll
c:\windows\system32\profapi.dll
c:\windows\temp\nsvfbf6.tmp\nsexec.dll
c:\windows\system32\apphelp.dll
c:\windows\temp\nsvfbf6.tmp\nsfbf7.tmp
c:\windows\temp\nsvfbf6.tmp\nsfe88.tmp
c:\windows\temp\nsvfbf6.tmp\zcqaruuyswj.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\oleacc.dll
c:\windows\system32\authz.dll
c:\windows\system32\p2pgraph.dll
c:\windows\system32\esent.dll
c:\windows\system32\slc.dll
c:\windows\system32\xmllite.dll
c:\windows\system32\psapi.dll
c:\windows\temp\nsvfbf6.tmp\fqevgaubjgl.dll
c:\windows\system32\winspool.drv
c:\windows\system32\comdlg32.dll
c:\windows\system32\resutils.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\winfax.dll
c:\windows\system32\snmpapi.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\oledlg.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\userenv.dll
c:\windows\system32\dwmapi.dll
c:\windows\temp\nso448.tmp\system.dll
c:\windows\temp\nso448.tmp\ipconfig.dll
c:\windows\system32\wbem\wbemprox.dll
c:\windows\system32\wbemcomn.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\rpcrtremote.dll
c:\windows\system32\wbem\wbemsvc.dll
c:\windows\system32\wbem\fastprox.dll
c:\windows\system32\ntdsapi.dll
c:\windows\temp\nso448.tmp\md5dll.dll
c:\windows\temp\nso448.tmp\simplesc.dll
c:\windows\temp\nso448.tmp\nsiscrypt.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcp90.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\temp\nso448.tmp\brh.dll
c:\windows\system32\rtutils.dll
c:\windows\system32\pdh.dll
c:\windows\system32\mprapi.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\iertutil.dll

PID
3292
CMD
"C:\Windows\TEMP\nsvFBF6.tmp\nsFBF7.tmp" cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\""
Path
C:\Windows\TEMP\nsvFBF6.tmp\nsFBF7.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\windows\temp\nsvfbf6.tmp\nsfbf7.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
964
CMD
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\""
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
nsFBF7.tmp
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2348
CMD
powershell -command Add-MpPreference -ExclusionPath \"C:\Users\admin\AppData\Local\Temp\b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe\"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\system32\netutils.dll

PID
3596
CMD
"C:\Windows\TEMP\nsvFBF6.tmp\nsFE88.tmp" cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Windows\TEMP\nsvFBF6.tmp\""
Path
C:\Windows\TEMP\nsvFBF6.tmp\nsFE88.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\windows\temp\nsvfbf6.tmp\nsfe88.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2172
CMD
cmd /c "powershell -command Add-MpPreference -ExclusionPath \"C:\Windows\TEMP\nsvFBF6.tmp\""
Path
C:\Windows\system32\cmd.exe
Indicators
No indicators
Parent process
nsFE88.tmp
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows Command Processor
Version
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Image
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2420
CMD
powershell -command Add-MpPreference -ExclusionPath \"C:\Windows\TEMP\nsvFBF6.tmp\"
Path
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Indicators
No indicators
Parent process
cmd.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Microsoft Corporation
Description
Windows PowerShell
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\shell32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\propsys.dll
c:\windows\system32\linkinfo.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\slc.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\version.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\winsxs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\msvcr80.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system\9e0a3b9b9f457233a335d7fba8f95419\system.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management.a#\a8e3a41ecbcc4bb1598ed5719f965110\system.management.automation.ni.dll
c:\windows\system32\psapi.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.core\fbc05b5b05dc6366b02b8e2f77d080f1\system.core.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.configuratio#\f02737c83305687a68c088927a6c5a98\system.configuration.install.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.transactions\ad18f93fc713db2c4b29b25116c13bd8\system.transactions.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\82d7758f278f47dc4191abab1cb11ce3\microsoft.powershell.commands.utility.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\6c5bef3ab74c06a641444eff648c0dde\microsoft.powershell.security.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.xml\461d3b6b3f43e6fbe6c897d5936e17e4\system.xml.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.directoryser#\45ec12795950a7d54691591c615a9e3c\system.directoryservices.ni.dll
c:\windows\system32\shfolder.dll
c:\windows\system32\secur32.dll
c:\windows\system32\sspicli.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.data\1e85062785e286cd9eae9c26d2c61f73\system.data.ni.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorjit.dll
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\netutils.dll

PID
4064
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns99A.tmp" sc delete --
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns99A.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns99a.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2924
CMD
sc delete --
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
ns99A.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3160
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsA09.tmp" reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsA09.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsa09.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3692
CMD
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
nsA09.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2264
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsA87.tmp" reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsA87.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsa87.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2832
CMD
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
nsA87.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2084
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsB72.tmp" reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsB72.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsb72.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3968
CMD
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
nsB72.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2588
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsBE1.tmp" reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsBE1.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsbe1.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3176
CMD
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
nsBE1.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
3644
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsC5F.tmp" reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsC5F.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nsc5f.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3548
CMD
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
nsC5F.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2704
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsCDD.tmp" reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsCDD.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\nscdd.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3468
CMD
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64
Path
C:\Windows\system32\reg.exe
Indicators
No indicators
Parent process
nsCDD.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Registry Console Tool
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\reg.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2788
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns181A.tmp" "C:\Program Files\MDEyO\NTJjOGRkMz.exe" --uninstall
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns181A.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
3221225501
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns181a.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll

PID
2528
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1B09.tmp" "C:\Program Files\MDEyO\NTJjOGRkMz.exe" --install_updater 0
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1B09.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns1b09.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll
c:\program files\mdeyo\ntjjogrkmz.exe

PID
3096
CMD
"C:\Program Files\MDEyO\NTJjOGRkMz.exe" --install_updater 0
Path
C:\Program Files\MDEyO\NTJjOGRkMz.exe
Indicators
Parent process
ns1B09.tmp
User
admin
Integrity Level
HIGH
Exit code
1
Version:
Company
Description
Version
13.14.1.312
Modules
Image
c:\program files\mdeyo\ntjjogrkmz.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\apphelp.dll

PID
2788
CMD
sc create ODA0YzZiNDAyO binPath= "rundll32.exe C:\Windows\xvdduwfj.xxd OJwAhyiDBMEqMzoP" start= auto
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
NTJjOGRkMz.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\imm32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns181a.tmp
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll

PID
2716
CMD
sc failure ODA0YzZiNDAyO reset= 30 actions= restart/5000
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
NTJjOGRkMz.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3940
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1E84.tmp" sc create ODkwMjIxMTZkZ binpath= "C:\Windows\system32\drivers\ODkwMjIxMTZkZ" DisplayName= ODkwMjIxMTZkZ type= kernel start= system group= PNP_TDI
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1E84.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns1e84.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
3828
CMD
sc create ODkwMjIxMTZkZ binpath= "C:\Windows\system32\drivers\ODkwMjIxMTZkZ" DisplayName= ODkwMjIxMTZkZ type= kernel start= system group= PNP_TDI
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
ns1E84.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2420
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1F7F.tmp" sc start ODkwMjIxMTZkZ
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1F7F.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\windows\microsoft.net\framework\v2.0.50727\diasymreader.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\nsi.dll
c:\windows\assembly\gac_32\system.data\2.0.0.0__b77a5c561934e089\system.data.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\shfolder.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\system.management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\system.management.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\culture.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\583c7b9f52114c026088bdb9f19f64e8\microsoft.powershell.commands.management.ni.dll
c:\windows\assembly\gac_32\system.transactions\2.0.0.0__b77a5c561934e089\system.transactions.dll
c:\windows\assembly\gac_msil\microsoft.wsman.runtime\1.0.0.0__31bf3856ad364e35\microsoft.wsman.runtime.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.wsman.man#\f1865caa683ceb3d12b383a94a35da14\microsoft.wsman.management.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\e112e4460a0c9122de8c382126da4a2f\microsoft.powershell.commands.diagnostics.ni.dll
c:\windows\system32\rsaenh.dll
c:\windows\assembly\gac_msil\system.management.automation\1.0.0.0__31bf3856ad364e35\system.management.automation.dll
c:\windows\system32\psapi.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\microsoft.powershel#\4bdde288f147e3b3f2c090ecdf704e6d\microsoft.powershell.consolehost.ni.dll
c:\windows\assembly\nativeimages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll
c:\windows\microsoft.net\framework\v2.0.50727\mscorwks.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
c:\windows\system32\cscapi.dll
c:\windows\system32\ntshrui.dll
c:\windows\system32\propsys.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\clbcatq.dll
c:\windows\system32\msctf.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\atl.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns1f7f.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\apphelp.dll

PID
3632
CMD
sc start ODkwMjIxMTZkZ
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
ns1F7F.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
3180
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns21F1.tmp" "C:\Program Files\MDEyO\NTJjOGRkMz.exe" --service
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns21F1.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns21f1.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
2588
CMD
"C:\Program Files\MDEyO\NTJjOGRkMz.exe" --service
Path
C:\Program Files\MDEyO\NTJjOGRkMz.exe
Indicators
No indicators
Parent process
ns21F1.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
13.14.1.312
Modules
Image
c:\windows\system32\msctf.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernelbase.dll
c:\systemroot\system32\ntdll.dll
c:\program files\mdeyo\ntjjogrkmz.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\sechost.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\psapi.dll

PID
3208
CMD
"C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns24F0.tmp" sc failure MDEyO reset= 60 actions= restart/5000/restart/5000/restart/5000
Path
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns24F0.tmp
Indicators
No indicators
Parent process
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Description
Version
Modules
Image
c:\users\admin\appdata\local\temp\nsjf7c5.tmp\ns24f0.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\apphelp.dll

PID
4032
CMD
sc failure MDEyO reset= 60 actions= restart/5000/restart/5000/restart/5000
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
ns24F0.tmp
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
2240
CMD
"C:\Program Files\MDEyO\NTJjOGRkMz.exe"
Path
C:\Program Files\MDEyO\NTJjOGRkMz.exe
Indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Description
Version
13.14.1.312
Modules
Image
c:\program files\mdeyo\ntjjogrkmz.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\credssp.dll
c:\windows\system32\netapi32.dll
c:\windows\system32\netutils.dll
c:\windows\system32\srvcli.dll
c:\windows\system32\wkscli.dll
c:\windows\system32\mswsock.dll
c:\windows\system32\wshqos.dll
c:\windows\system32\wshtcpip.dll
c:\windows\system32\wship6.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\rsaenh.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rasadhlp.dll
c:\windows\system32\fwpuclnt.dll
c:\windows\system32\winsta.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\schannel.dll
c:\windows\system32\secur32.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\gpapi.dll
c:\windows\system32\cryptnet.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\sensapi.dll
c:\windows\system32\dhcpcsvc6.dll
c:\windows\system32\dhcpcsvc.dll
c:\windows\system32\cabinet.dll
c:\windows\system32\devrtl.dll

PID
2364
CMD
"C:\Program Files\MDEyO\NTJjOGRkMz.exe" c0NWRlYjYw jBjYmU4Yj Y2Q3ZDI3Y jVkMT iNzljMm jFkN2QwZDF ZmExMTc0 YTJiNmYxOD
Path
C:\Program Files\MDEyO\NTJjOGRkMz.exe
Indicators
No indicators
Parent process
NTJjOGRkMz.exe
User
admin
Integrity Level
MEDIUM
Exit code
0
Version:
Company
Description
Version
13.14.1.312
Modules
Image
c:\program files\mdeyo\ntjjogrkmz.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\psapi.dll
c:\program files\mdeyo\nss3.dll
c:\program files\mdeyo\softokn3.dll
c:\program files\mdeyo\plc4.dll
c:\program files\mdeyo\nspr4.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\winmm.dll
c:\program files\mdeyo\mozcrt19.dll
c:\program files\mdeyo\plds4.dll

PID
2548
CMD
"C:\Program Files\MDEyO\NTJjOGRkMz.exe" --install_updater 0
Path
C:\Program Files\MDEyO\NTJjOGRkMz.exe
Indicators
No indicators
Parent process
NTJjOGRkMz.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Description
Version
13.14.1.312
Modules
Image
c:\program files\mdeyo\ntjjogrkmz.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\psapi.dll

PID
3012
CMD
"C:\Program Files\MDEyO\NTJjOGRkMz.exe" --start_watcher_delay 30
Path
C:\Program Files\MDEyO\NTJjOGRkMz.exe
Indicators
No indicators
Parent process
NTJjOGRkMz.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
1
Version:
Company
Description
Version
13.14.1.312
Modules
Image
c:\program files\mdeyo\ntjjogrkmz.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\resutils.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\clusapi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\cryptdll.dll
c:\windows\system32\powrprof.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\devobj.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\p2p.dll
c:\windows\system32\p2pcollab.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\system32\api-ms-win-core-synch-l1-2-0.dll
c:\windows\system32\cryptbase.dll
c:\windows\system32\clbcatq.dll
c:\program files\common files\system\ado\msado15.dll
c:\windows\system32\msdart.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\psapi.dll
c:\windows\system32\apphelp.dll

PID
3868
CMD
sc start ODA0YzZiNDAyO
Path
C:\Windows\system32\sc.exe
Indicators
No indicators
Parent process
NTJjOGRkMz.exe
User
SYSTEM
Integrity Level
SYSTEM
Exit code
0
Version:
Company
Microsoft Corporation
Description
A tool to aid in developing services for WindowsNT
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\sc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

PID
4056
CMD
rundll32.exe C:\Windows\xvdduwfj.xxd OJwAhyiDBMEqMzoP
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
––
User
SYSTEM
Integrity Level
SYSTEM
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\xvdduwfj.xxd
c:\windows\system32\secur32.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wtsapi32.dll
c:\windows\system32\winsta.dll

PID
3680
CMD
"rundll32.exe" C:\Windows\xvdduwfj.xxd OJwAhyiDBMEqMzoP perform_update
Path
C:\Windows\system32\rundll32.exe
Indicators
No indicators
Parent process
rundll32.exe
User
admin
Integrity Level
HIGH
Exit code
0
Version:
Company
Microsoft Corporation
Description
Windows host process (Rundll32)
Version
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Image
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\aclayers.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ole32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\userenv.dll
c:\windows\system32\profapi.dll
c:\windows\system32\winspool.drv
c:\windows\system32\mpr.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
c:\windows\xvdduwfj.xxd
c:\windows\system32\secur32.dll
c:\windows\system32\version.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winhttp.dll
c:\windows\system32\webio.dll
c:\windows\system32\wldap32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\wininet.dll
c:\windows\system32\urlmon.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\wtsapi32.dll

Registry activity

Total events
1096
Read events
894
Write events
202
Delete events
0

Modification events

PID
Process
Operation
Key
Name
Value
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableFileTracing
0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
EnableConsoleTracing
0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileTracingMask
4294901760
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
ConsoleTracingMask
4294901760
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
MaxFileSize
1048576
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
FileDirectory
%windir%\tracing
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableFileTracing
0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
EnableConsoleTracing
0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileTracingMask
4294901760
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
ConsoleTracingMask
4294901760
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
MaxFileSize
1048576
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
FileDirectory
%windir%\tracing
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
ProxyEnable
0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
SavedLegacySettings
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13
Blob
040000000100000010000000410352DC0FF7501B16F0028EBA6F45C50F00000001000000140000005BCAA1C2780F0BCB5A90770451D96F38963F012D090000000100000042000000304006082B0601050507030406082B0601050507030106082B0601050507030206082B06010505070308060A2B0601040182370A0304060A2B0601040182370A030C6200000001000000200000000687260331A72403D909F105E69BCF0D32E1BD2493FFC6D9206D11BCD67707390B000000010000001E000000440053005400200052006F006F0074002000430041002000580033000000140000000100000014000000C4A7B1A47B2C71FADBE14B9075FFC415608589101D00000001000000100000004558D512EECB27464920897DE7B66053030000000100000014000000DAC9024F54D8F6DF94935FB1732638CA6AD77C131900000001000000100000006CF252FEC3E8F20996DE5D4DD9AEF42420000000010000004E0300003082034A30820232A003020102021044AFB080D6A327BA893039862EF8406B300D06092A864886F70D0101050500303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F74204341205833301E170D3030303933303231313231395A170D3231303933303134303131355A303F31243022060355040A131B4469676974616C205369676E617475726520547275737420436F2E311730150603550403130E44535420526F6F7420434120583330820122300D06092A864886F70D01010105000382010F003082010A0282010100DFAFE99750088357B4CC6265F69082ECC7D32C6B30CA5BECD9C37DC740C118148BE0E83376492AE33F214993AC4E0EAF3E48CB65EEFCD3210F65D22AD9328F8CE5F777B0127BB595C089A3A9BAED732E7A0C063283A27E8A1430CD11A0E12A38B9790A31FD50BD8065DFB7516383C8E28861EA4B6181EC526BB9A2E24B1A289F48A39E0CDA098E3E172E1EDD20DF5BC62A8AAB2EBD70ADC50B1A25907472C57B6AAB34D63089FFE568137B540BC8D6AEEC5A9C921E3D64B38CC6DFBFC94170EC1672D526EC38553943D0FCFD185C40F197EBD59A9B8D1DBADA25B9C6D8DFC115023AABDA6EF13E2EF55C089C3CD68369E4109B192AB62957E3E53D9B9FF0025D0203010001A3423040300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106301D0603551D0E04160414C4A7B1A47B2C71FADBE14B9075FFC41560858910300D06092A864886F70D01010505000382010100A31A2C9B17005CA91EEE2866373ABF83C73F4BC309A095205DE3D95944D23E0D3EBD8A4BA0741FCE10829C741A1D7E981ADDCB134BB32044E491E9CCFC7DA5DB6AE5FEE6FDE04EDDB7003AB57049AFF2E5EB02F1D1028B19CB943A5E48C4181E58195F1E025AF00CF1B1ADA9DC59868B6EE991F586CAFAB96633AA595BCEE2A7167347CB2BCC99B03748CFE3564BF5CF0F0C723287C6F044BB53726D43F526489A5267B758ABFE67767178DB0DA256141339243185A2A8025A3047E1DD5007BC02099000EB6463609B16BC88C912E6D27D918BF93D328D65B4E97CB15776EAC5B62839BF15651CC8F677966A0A8D770BD8910B048E07DB29B60AEE9D82353510
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ODA0YzZiNDAyO
aid
3673
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SrcAAAesom Browser Enhancer
mid
bd232adea4e970199b37e073c5dfb03e
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SrcAAAesom Browser Enhancer
uid
4E6866CC50C0449534CA9B289FFFC4CB
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SrcAAAesom Browser Enhancer
aid
3673
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SrcAAAesom Browser Enhancer
aid2
none
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SrcAAAesom Browser Enhancer
ts
1552558433
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\SrcAAAesom Browser Enhancer
ts2
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_CURRENT_USER\Software\WajIEnhance
unique_id
4E6866CC50C0449534CA9B289FFFC4CB
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_CURRENT_USER\Software\WajIEnhance
affiliate_id
3673
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\25202277BB498FB6C51E85DA2371D2EA3C4C2DEC
Blob
040000000100000010000000C6B6ADD906B173449A2B73FC78252001140000000100000014000000407668024A1A4C703AD3CB199C66F2AD004E3C8503000000010000001400000025202277BB498FB6C51E85DA2371D2EA3C4C2DEC0F00000001000000200000005B451989A459B1DA16F94DB6CC4AC58708571B8BB4CCE686FB17E49024D142FF1900000001000000100000002167F922259FE0E5384E23E40EECFA0120000000010000000403000030820300308201E8A0030201020211009E3F0E6679322375AF20DA1C2134FE36300D06092A864886F70D01010B05003028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D20323020170D3939303331393130313431345A180F32303539303330343130313431345A3028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D203230820122300D06092A864886F70D01010105000382010F003082010A0282010100D102FAC59471F2454E80B9EE0861ED6BC62C3ADFC79948A74CAB6431221D7B71DF61AA005A245E6C3327CDA20D5C08ADB0D221FEB6341439CEDE4D10D764E688B7EABC1894335631312CF2BB7018C589BA265131A95E54F5632F511C7F64F87025A21B0F37AAF37258301DE0E6985740C2BC17B760F47B6CE2ABCE7C04BFF132729F8D8813A4A627589F2ADD6FF03882C301B842988C8437CF996BAC4B8052BA490037F68E5C534C9EDE75ED439B281AD72CE839E02E73464B10929AA8D1B67302BEB4E67D5BB38BFCA987818FFE16130E77DC73B89A042671727239F9C7B1DAD7E1B249C30F51A713DD9DD7F7EBA4617C90AE2C806AF2CEC304D8759E219FE10203010001A3233021300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106300D06092A864886F70D01010B05000382010100831AA0F4175B8DD43399328FFAB145CA4056A80277456DB905671D2F67362B188894B4419402ACA3878B49F6F41FBC045EF8CFE30E6C13F57BB28C1364CE792B003C967BA8324735A2E90161DA80180835198074A0B0E34A74DE12C076C92D012899BDFD77F09AEDC692CE2B2AC2C22BCFC0B305609EFD78A685D321DE953C8277BCC88391A477D3437C9C79E45784DD12FC7FE1642B5D4ED1DE5E88FE51D01EF1270A6E434DBD8E8C855B54D4EC10D45DD0D437CA25D1E5EE138367000F8C3F44372B0374407A2246F3C0993D0FBA1B42134A4358FF83A8B63F4E5F6B28B37A6241DE80F903A6AF79E8DF81941112B54C694DEBEB3EE0DF6F9A56965A1B8C3C
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDEyO
DisplayName
SearchAwesome
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDEyO
DisplayIcon
C:\Windows\ZWY3N2NlMDA2ZGIyMzc.exe
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDEyO
UninstallString
C:\Windows\ZWY3N2NlMDA2ZGIyMzc.exe
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDEyO
DisplayVersion
13.14.1.312 (i1.0)
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDEyO
URLInfoAbout
https://technologietazo.com
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDEyO
Publisher
SearchAwesome
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MDEyO
InstallLocation
C:\Program Files\MDEyO
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
UNCAsIntranet
0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
AutoDetect
1
3972
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
1324
powershell.exe
write
HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\uninstaller.dat
0
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\ZWY3N2NlMDA2ZGIyMzc.exe
0
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\system32\drivers\ODkwMjIxMTZkZ
0
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Program Files\MDEyO
0
3692
reg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation
1
2832
reg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation
1
3968
reg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontReportInfectionInformation
1
3176
reg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontOfferThroughWUAU
1
3548
reg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontOfferThroughWUAU
1
3468
reg.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT
DontOfferThroughWUAU
1
2588
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9
LocalService
MDEyO
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
c:\program files\mdeyo\
0
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\System32\drivers\ODkwMjIxMTZkZ.sys
0
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\ZWY3N2NlMDA2ZGIyMzc
0
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\System32\drivers\ODkwMjIxMTZkZ
0
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\25202277BB498FB6C51E85DA2371D2EA3C4C2DEC
Blob
03000000010000001400000025202277BB498FB6C51E85DA2371D2EA3C4C2DEC20000000010000000403000030820300308201E8A0030201020211009E3F0E6679322375AF20DA1C2134FE36300D06092A864886F70D01010B05003028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D20323020170D3939303331393130313431345A180F32303539303330343130313431345A3028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D203230820122300D06092A864886F70D01010105000382010F003082010A0282010100D102FAC59471F2454E80B9EE0861ED6BC62C3ADFC79948A74CAB6431221D7B71DF61AA005A245E6C3327CDA20D5C08ADB0D221FEB6341439CEDE4D10D764E688B7EABC1894335631312CF2BB7018C589BA265131A95E54F5632F511C7F64F87025A21B0F37AAF37258301DE0E6985740C2BC17B760F47B6CE2ABCE7C04BFF132729F8D8813A4A627589F2ADD6FF03882C301B842988C8437CF996BAC4B8052BA490037F68E5C534C9EDE75ED439B281AD72CE839E02E73464B10929AA8D1B67302BEB4E67D5BB38BFCA987818FFE16130E77DC73B89A042671727239F9C7B1DAD7E1B249C30F51A713DD9DD7F7EBA4617C90AE2C806AF2CEC304D8759E219FE10203010001A3233021300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106300D06092A864886F70D01010B05000382010100831AA0F4175B8DD43399328FFAB145CA4056A80277456DB905671D2F67362B188894B4419402ACA3878B49F6F41FBC045EF8CFE30E6C13F57BB28C1364CE792B003C967BA8324735A2E90161DA80180835198074A0B0E34A74DE12C076C92D012899BDFD77F09AEDC692CE2B2AC2C22BCFC0B305609EFD78A685D321DE953C8277BCC88391A477D3437C9C79E45784DD12FC7FE1642B5D4ED1DE5E88FE51D01EF1270A6E434DBD8E8C855B54D4EC10D45DD0D437CA25D1E5EE138367000F8C3F44372B0374407A2246F3C0993D0FBA1B42134A4358FF83A8B63F4E5F6B28B37A6241DE80F903A6AF79E8DF81941112B54C694DEBEB3EE0DF6F9A56965A1B8C3C
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TCPIP6\Parameters
DisabledComponents
8
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters
DisableTaskOffload
1
2240
NTJjOGRkMz.exe
write
HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\5F\52C64B7E
LanguageList
en-US
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\25202277BB498FB6C51E85DA2371D2EA3C4C2DEC
Blob
0F00000001000000200000005B451989A459B1DA16F94DB6CC4AC58708571B8BB4CCE686FB17E49024D142FF03000000010000001400000025202277BB498FB6C51E85DA2371D2EA3C4C2DEC20000000010000000403000030820300308201E8A0030201020211009E3F0E6679322375AF20DA1C2134FE36300D06092A864886F70D01010B05003028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D20323020170D3939303331393130313431345A180F32303539303330343130313431345A3028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D203230820122300D06092A864886F70D01010105000382010F003082010A0282010100D102FAC59471F2454E80B9EE0861ED6BC62C3ADFC79948A74CAB6431221D7B71DF61AA005A245E6C3327CDA20D5C08ADB0D221FEB6341439CEDE4D10D764E688B7EABC1894335631312CF2BB7018C589BA265131A95E54F5632F511C7F64F87025A21B0F37AAF37258301DE0E6985740C2BC17B760F47B6CE2ABCE7C04BFF132729F8D8813A4A627589F2ADD6FF03882C301B842988C8437CF996BAC4B8052BA490037F68E5C534C9EDE75ED439B281AD72CE839E02E73464B10929AA8D1B67302BEB4E67D5BB38BFCA987818FFE16130E77DC73B89A042671727239F9C7B1DAD7E1B249C30F51A713DD9DD7F7EBA4617C90AE2C806AF2CEC304D8759E219FE10203010001A3233021300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106300D06092A864886F70D01010B05000382010100831AA0F4175B8DD43399328FFAB145CA4056A80277456DB905671D2F67362B188894B4419402ACA3878B49F6F41FBC045EF8CFE30E6C13F57BB28C1364CE792B003C967BA8324735A2E90161DA80180835198074A0B0E34A74DE12C076C92D012899BDFD77F09AEDC692CE2B2AC2C22BCFC0B305609EFD78A685D321DE953C8277BCC88391A477D3437C9C79E45784DD12FC7FE1642B5D4ED1DE5E88FE51D01EF1270A6E434DBD8E8C855B54D4EC10D45DD0D437CA25D1E5EE138367000F8C3F44372B0374407A2246F3C0993D0FBA1B42134A4358FF83A8B63F4E5F6B28B37A6241DE80F903A6AF79E8DF81941112B54C694DEBEB3EE0DF6F9A56965A1B8C3C
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\25202277BB498FB6C51E85DA2371D2EA3C4C2DEC
Blob
140000000100000014000000407668024A1A4C703AD3CB199C66F2AD004E3C8503000000010000001400000025202277BB498FB6C51E85DA2371D2EA3C4C2DEC0F00000001000000200000005B451989A459B1DA16F94DB6CC4AC58708571B8BB4CCE686FB17E49024D142FF20000000010000000403000030820300308201E8A0030201020211009E3F0E6679322375AF20DA1C2134FE36300D06092A864886F70D01010B05003028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D20323020170D3939303331393130313431345A180F32303539303330343130313431345A3028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D203230820122300D06092A864886F70D01010105000382010F003082010A0282010100D102FAC59471F2454E80B9EE0861ED6BC62C3ADFC79948A74CAB6431221D7B71DF61AA005A245E6C3327CDA20D5C08ADB0D221FEB6341439CEDE4D10D764E688B7EABC1894335631312CF2BB7018C589BA265131A95E54F5632F511C7F64F87025A21B0F37AAF37258301DE0E6985740C2BC17B760F47B6CE2ABCE7C04BFF132729F8D8813A4A627589F2ADD6FF03882C301B842988C8437CF996BAC4B8052BA490037F68E5C534C9EDE75ED439B281AD72CE839E02E73464B10929AA8D1B67302BEB4E67D5BB38BFCA987818FFE16130E77DC73B89A042671727239F9C7B1DAD7E1B249C30F51A713DD9DD7F7EBA4617C90AE2C806AF2CEC304D8759E219FE10203010001A3233021300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106300D06092A864886F70D01010B05000382010100831AA0F4175B8DD43399328FFAB145CA4056A80277456DB905671D2F67362B188894B4419402ACA3878B49F6F41FBC045EF8CFE30E6C13F57BB28C1364CE792B003C967BA8324735A2E90161DA80180835198074A0B0E34A74DE12C076C92D012899BDFD77F09AEDC692CE2B2AC2C22BCFC0B305609EFD78A685D321DE953C8277BCC88391A477D3437C9C79E45784DD12FC7FE1642B5D4ED1DE5E88FE51D01EF1270A6E434DBD8E8C855B54D4EC10D45DD0D437CA25D1E5EE138367000F8C3F44372B0374407A2246F3C0993D0FBA1B42134A4358FF83A8B63F4E5F6B28B37A6241DE80F903A6AF79E8DF81941112B54C694DEBEB3EE0DF6F9A56965A1B8C3C
2240
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\25202277BB498FB6C51E85DA2371D2EA3C4C2DEC
Blob
1900000001000000100000002167F922259FE0E5384E23E40EECFA010F00000001000000200000005B451989A459B1DA16F94DB6CC4AC58708571B8BB4CCE686FB17E49024D142FF03000000010000001400000025202277BB498FB6C51E85DA2371D2EA3C4C2DEC140000000100000014000000407668024A1A4C703AD3CB199C66F2AD004E3C8520000000010000000403000030820300308201E8A0030201020211009E3F0E6679322375AF20DA1C2134FE36300D06092A864886F70D01010B05003028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D20323020170D3939303331393130313431345A180F32303539303330343130313431345A3028310B300906035504061302454E3119301706035504030C104F5441334F54517A4E5449784E6D203230820122300D06092A864886F70D01010105000382010F003082010A0282010100D102FAC59471F2454E80B9EE0861ED6BC62C3ADFC79948A74CAB6431221D7B71DF61AA005A245E6C3327CDA20D5C08ADB0D221FEB6341439CEDE4D10D764E688B7EABC1894335631312CF2BB7018C589BA265131A95E54F5632F511C7F64F87025A21B0F37AAF37258301DE0E6985740C2BC17B760F47B6CE2ABCE7C04BFF132729F8D8813A4A627589F2ADD6FF03882C301B842988C8437CF996BAC4B8052BA490037F68E5C534C9EDE75ED439B281AD72CE839E02E73464B10929AA8D1B67302BEB4E67D5BB38BFCA987818FFE16130E77DC73B89A042671727239F9C7B1DAD7E1B249C30F51A713DD9DD7F7EBA4617C90AE2C806AF2CEC304D8759E219FE10203010001A3233021300F0603551D130101FF040530030101FF300E0603551D0F0101FF040403020106300D06092A864886F70D01010B05000382010100831AA0F4175B8DD43399328FFAB145CA4056A80277456DB905671D2F67362B188894B4419402ACA3878B49F6F41FBC045EF8CFE30E6C13F57BB28C1364CE792B003C967BA8324735A2E90161DA80180835198074A0B0E34A74DE12C076C92D012899BDFD77F09AEDC692CE2B2AC2C22BCFC0B305609EFD78A685D321DE953C8277BCC88391A477D3437C9C79E45784DD12FC7FE1642B5D4ED1DE5E88FE51D01EF1270A6E434DBD8E8C855B54D4EC10D45DD0D437CA25D1E5EE138367000F8C3F44372B0374407A2246F3C0993D0FBA1B42134A4358FF83A8B63F4E5F6B28B37A6241DE80F903A6AF79E8DF81941112B54C694DEBEB3EE0DF6F9A56965A1B8C3C
2548
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
c:\program files\mdeyo\
0
2548
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\System32\drivers\ODkwMjIxMTZkZ.sys
0
2548
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\ZWY3N2NlMDA2ZGIyMzc
0
2548
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\System32\drivers\ODkwMjIxMTZkZ
0
3012
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
c:\program files\mdeyo\
0
3012
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\System32\drivers\ODkwMjIxMTZkZ.sys
0
3012
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\ZWY3N2NlMDA2ZGIyMzc
0
3012
NTJjOGRkMz.exe
write
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
C:\Windows\System32\drivers\ODkwMjIxMTZkZ
0

Files activity

Executable files
43
Suspicious files
18
Text files
6
Unknown types
71

Dropped files

PID
Process
Filename
Type
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsExec.dll
executable
MD5: 6cb1e608b65b83dad598cc5ff10697c6
SHA256: 8e565626c37c33144d88df65dc4c25ff3aa0eec980b2c3b1e46def3faaf44b74
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFB22.tmp
executable
MD5: 48ae036ea5f9100bab7a41d1c61edcfe
SHA256: 1298c1a1e5adae488a5924d711767aec709de66097389b427f482473e5fa3755
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\system32\drivers\ODkwMjIxMTZkZ
executable
MD5: 0210fcc31fde7743e293c5b79b7d7520
SHA256: a789bb42ac21ec852c459842bd95b7be8d3b0a58c1b82741714d4df5615ab3c0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsExec.dll
executable
MD5: 35200be9cf105f3defe2ae0ee44cea12
SHA256: 0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527
3096
NTJjOGRkMz.exe
C:\Windows\xvdduwfj.xxd
executable
MD5: 606220202c2b7f2bf0cca4030df36afa
SHA256: 45c6ae6c47dd903b1de9fefedfc43ef8d4f0caa4fecf533d925665a0a8ff52bc
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsFAA4.tmp
executable
MD5: 48ae036ea5f9100bab7a41d1c61edcfe
SHA256: 1298c1a1e5adae488a5924d711767aec709de66097389b427f482473e5fa3755
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\softokn3.dll
executable
MD5: b2ad88dd7b83b62695b764d1dadfc15d
SHA256: 80984e8751d01e0bb1be9d2449402b9c90dd80f795cabddd50b720be8059e037
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\SimpleSC.dll
executable
MD5: d63975ce28f801f236c4aca5af726961
SHA256: e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\nspr4.dll
executable
MD5: 32b2685234074047263d4a0cc8bf5d56
SHA256: f0daff0ebf53489e1f1c4170c26a1f1a97c15ef95bc28b2aee9124a3faca78a3
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\NsisCrypt.dll
executable
MD5: a3e9024e53c55893b1e4f62a2bd93ca8
SHA256: 7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nsvFBF6.tmp\nsExec.dll
executable
MD5: 6cb1e608b65b83dad598cc5ff10697c6
SHA256: 8e565626c37c33144d88df65dc4c25ff3aa0eec980b2c3b1e46def3faaf44b74
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\plc4.dll
executable
MD5: 1cce55587f95d57759e36f387c4f9dee
SHA256: 4860d9f733cde8de491f7e1249dd8e124f2cc18b9dab15e69a41740ca8a288f0
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1B09.tmp
executable
MD5: 48ae036ea5f9100bab7a41d1c61edcfe
SHA256: 1298c1a1e5adae488a5924d711767aec709de66097389b427f482473e5fa3755
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\md5dll.dll
executable
MD5: 7059f133ea2316b9e7e39094a52a8c34
SHA256: 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nsvFBF6.tmp\nsFBF7.tmp
executable
MD5: 763fbc0305f3dbc7503ec8b72a940cc8
SHA256: 96df754f8621e111fd86c6b836908a806022567f76e40b878f60473e1815c5c5
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\mozcrt19.dll
executable
MD5: 0847bc96e23565dbae072ca335a212c9
SHA256: 9249895d827d088f1945cd0a227f102e7e0a65eba2244b7d8a67cb007438eb54
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\NTJjOGRkMz.exe
executable
MD5: a1cb84bc3b8c112d431798f3a687e3ae
SHA256: f47c8166a6e4d2030f5d846503e9588f34e4a03665876f49e6f17435be138c94
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\IpConfig.dll
executable
MD5: a75e3775daac9958610ce1308e0bca3b
SHA256: fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nsvFBF6.tmp\nsFE88.tmp
executable
MD5: 763fbc0305f3dbc7503ec8b72a940cc8
SHA256: 96df754f8621e111fd86c6b836908a806022567f76e40b878f60473e1815c5c5
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\nss3.dll
executable
MD5: 09cacf1074663b90a88c2345f42425ff
SHA256: 775aac71a08eb6780098c8b080ab910ebb1d62635356e294bc8ff24c98e24357
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\NSISList.dll
executable
MD5: 4b0617493f32b2b5fe5e838eeb885819
SHA256: df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\System.dll
executable
MD5: 9625d5b1754bc4ff29281d415d27a0fd
SHA256: c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nsvFBF6.tmp\ZCqaruUySWJ.dll
executable
MD5: df9fe2db24e662f4ded8b4be5fd91abc
SHA256: 1e2fb713b17fe441a90728f7c02bb68b2fc6449d73a08c33fd334a93104f2b89
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1F7F.tmp
executable
MD5: 48ae036ea5f9100bab7a41d1c61edcfe
SHA256: 1298c1a1e5adae488a5924d711767aec709de66097389b427f482473e5fa3755
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\MoreInfo.dll
executable
MD5: bd393029cc49b415b6c9aeb8a4936516
SHA256: 227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\fqevGAuBjgL.dll
executable
MD5: 41c479086355c2acb263c6643ba1187c
SHA256: 3c2fad1eafb2184f894ff582906fdeba84efa65cc6ecab9e68d24d0013a4dab7
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nsvFBF6.tmp\fqevGAuBjgL.dll
executable
MD5: 41c479086355c2acb263c6643ba1187c
SHA256: 3c2fad1eafb2184f894ff582906fdeba84efa65cc6ecab9e68d24d0013a4dab7
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns21F1.tmp
executable
MD5: 48ae036ea5f9100bab7a41d1c61edcfe
SHA256: 1298c1a1e5adae488a5924d711767aec709de66097389b427f482473e5fa3755
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso448.tmp\System.dll
executable
MD5: 9625d5b1754bc4ff29281d415d27a0fd
SHA256: c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\ZCqaruUySWJ.dll
executable
MD5: df9fe2db24e662f4ded8b4be5fd91abc
SHA256: 1e2fb713b17fe441a90728f7c02bb68b2fc6449d73a08c33fd334a93104f2b89
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso448.tmp\IpConfig.dll
executable
MD5: a75e3775daac9958610ce1308e0bca3b
SHA256: fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\ZWY3N2NlMDA2ZGIyMzc.exe
executable
MD5: b111e275b9921831e03459a1d5cc2d19
SHA256: c3f2371c850215231a7de600294cb2f24a7eba3308d045d3aa7515c36db73a01
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso448.tmp\md5dll.dll
executable
MD5: 7059f133ea2316b9e7e39094a52a8c34
SHA256: 32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsF169.tmp
executable
MD5: 763fbc0305f3dbc7503ec8b72a940cc8
SHA256: 96df754f8621e111fd86c6b836908a806022567f76e40b878f60473e1815c5c5
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso448.tmp\SimpleSC.dll
executable
MD5: d63975ce28f801f236c4aca5af726961
SHA256: e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\ZWY3N2NlMDA2ZGIyMzc.exe
executable
MD5: b111e275b9921831e03459a1d5cc2d19
SHA256: c3f2371c850215231a7de600294cb2f24a7eba3308d045d3aa7515c36db73a01
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\inetc.dll
executable
MD5: 1fc1fbb2c7a14b7901fc9abbd6dbef10
SHA256: 4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\nsEDED.tmp
executable
MD5: 763fbc0305f3dbc7503ec8b72a940cc8
SHA256: 96df754f8621e111fd86c6b836908a806022567f76e40b878f60473e1815c5c5
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\brh.dll
executable
MD5: f37c75c9d71724a4916ffbac31386698
SHA256: 7291108fe72d313c5966e2ff630a2d99aa716f9d17bceb9547aa719119faf280
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso448.tmp\NsisCrypt.dll
executable
MD5: a3e9024e53c55893b1e4f62a2bd93ca8
SHA256: 7183cf34924885dbadb7f3af7f1b788f23b337144ab69cd0d89a5134a74263ad
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsA09.tmp
executable
MD5: 48ae036ea5f9100bab7a41d1c61edcfe
SHA256: 1298c1a1e5adae488a5924d711767aec709de66097389b427f482473e5fa3755
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsBE1.tmp
executable
MD5: 48ae036ea5f9100bab7a41d1c61edcfe
SHA256: 1298c1a1e5adae488a5924d711767aec709de66097389b427f482473e5fa3755
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\plds4.dll
executable
MD5: 9b31fe86fac03999982dccbe2a0103ac
SHA256: 503fcc35a3c471c3990ebe3f9f41e6f5b33b7982cb34b60149755963866fd120
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\OTVlZDMwMmFjYj.ico
image
MD5: 41d6e02d9ee1d65e8ec367b8fb0c35b7
SHA256: 029b6231ba7bab4beb6ada1c1403d09e8bf2a44832acbd9ef0417e393a4dc167
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns1E84.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\4451.tmp-shm
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\4450.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\service.dat
binary
MD5: 206b6a6501ff524f4b36a96a211c88b3
SHA256: 5c6cf1b0763d6c63c116bfeb2d0e7b58276333e0b76bc5c98c10f4500f7f4596
2240
NTJjOGRkMz.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
der
MD5: 726b2cfa018debe154d8961dff88097b
SHA256: ae607ca3ce628f14fba021e039a8755f67f72da29caa646933a7da37f985b206
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns181A.tmp
––
MD5:  ––
SHA256:  ––
2240
NTJjOGRkMz.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
binary
MD5: 21348e31b79634e1c1016031001184f5
SHA256: f7149aa3b8d0c7c3223702eb07138ad09a7b3070e5661781bb13a27c890924f3
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\uninstaller.dat
binary
MD5: 195e765c33f5ce713af5686ce53ac32d
SHA256: 8add46856cf016cb1bae418aee4112780100a5ba9e7ad76001d29f6fbf75e648
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\xbfGtHYZiHMH
abr
MD5: a396c59a96af3b36d364448c7b687fb1
SHA256: 659d36ca563ba4622daabb36a71dafaf6060cdcbf89bb12e75426198496d272c
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsd1077.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\WBE_uninstall.dat
binary
MD5: 5d054f21b4fbcb0864d225657065c252
SHA256: 865d0e51dd1cc2f5cd87de8f7390dc7a4ba7747dea0176ecbf077dd097a6ddf8
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsCDD.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsC5F.tmp
––
MD5:  ––
SHA256:  ––
2240
NTJjOGRkMz.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6F34ABD5FD82FD017D1E4EE031BD21B5
der
MD5: 37e612b663d502017f49058a868d80fb
SHA256: 277afb7006cde9f350b0fada88867e400ce35c261fdd82d0cefaadb7baca2502
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsB72.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\nsA87.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\get_local_output.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\rQDxznZKTqRr
gmc
MD5: 1a877b7b83298cdb47da75382a689f99
SHA256: f3b0a431b7ea92b02e52c891310a7163ad0333b03b7494eef7937c97fd305014
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns99A.tmp
––
MD5:  ––
SHA256:  ––
2240
NTJjOGRkMz.exe
C:\Windows\TEMP\Tar3FC6.tmp
––
MD5:  ––
SHA256:  ––
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\NRWohVOObORb
gmc
MD5: 228b6e96ea75ec9b2f5c22bb75980eb1
SHA256: 92239e028c6a89c493c27a46dab9b9198bab95a6af15ce6f95aeadce38a66313
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\qAYIikLFSNux
gmc
MD5: 3257f8338662d08c64af5adfd3c2fb17
SHA256: 0a2d80da374693d0dc29164985bc4ce84b1ff9bfd5db0354c51fe9a861b1fc89
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso447.tmp
––
MD5:  ––
SHA256:  ––
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\fIMuJZKjJZTw
abr
MD5: f3a534d52e3fe0c7a85b30ca00ca7424
SHA256: 762b023699a0e48aa95763f0cf7c0467f1d6e9880308c78ebbc1c423de7072d3
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\eCUFEKeGneHk
abr
MD5: 2d14244e3f3a05e2d572a13ab80b7761
SHA256: 56032f8926c17e271bfc3af177926f3d4ead7f43731a33ff02820f9a42011d73
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\ZBWkajwQtEvi
gmc
MD5: a7df3766ea38999716bcf1033b36fad3
SHA256: 4adbd25ead88997e2bc08be72437a9e22b1e5c9e11dd7c08a6840aa6e0024d30
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso448.tmp\brh.dll
––
MD5:  ––
SHA256:  ––
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nso448.tmp\brh.dat
––
MD5:  ––
SHA256:  ––
2240
NTJjOGRkMz.exe
C:\Windows\TEMP\Cab3FC5.tmp
––
MD5:  ––
SHA256:  ––
2364
NTJjOGRkMz.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert8.db
binary
MD5: 2cc749b98c770a65db2f2971e27ca737
SHA256: 86daf81b1cfda1b289e4364ee46aecd93cf998ef7c401e67141e9f36a7841f57
2364
NTJjOGRkMz.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\key3.db
binary
MD5: cf121ae29db70b0f3e45921f59f494fa
SHA256: c92fa41cf9e67ce809716b6594625b99f25413a34383fbf708022e7b11533a3a
2364
NTJjOGRkMz.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\secmod.db
binary
MD5: b0a8b3a8f3530832a4c972341a6245fd
SHA256: 974436a1c60becbee5cfbcf76f83bbdfb3ed5bdec41a67a219813f61c88e5006
2240
NTJjOGRkMz.exe
C:\program files\mdeyo\MDQ4Z
binary
MD5: e4d286feac8bf132512bbfc3f853c1fc
SHA256: 51b624a91db9b6ee4fd99142f5a4421cb517cb41c1fff41f78158149261293f5
2240
NTJjOGRkMz.exe
C:\Windows\TEMP\wjm2AC5.tmp
––
MD5:  ––
SHA256:  ––
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\TsLSLykDpRzZ
gmc
MD5: 62aed4f3f9277808536c0ee59896f0ff
SHA256: e3ddd8f0bc54b698be4209d249f09005243bcde81bca394d4732ac75cd2441a3
2240
NTJjOGRkMz.exe
C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js
text
MD5: 6bbbc2843565da6b067953c7858902ca
SHA256: 5736f61a9d15507b31dcb07a2584052121dd1d4b4d4071b7d78fe1fcddae82e8
2964
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Windows\TEMP\nsvFBF6.tmp\JoNaet
––
MD5:  ––
SHA256:  ––
2240
NTJjOGRkMz.exe
C:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.dat
binary
MD5: 5c45d81487a580a527b20acaaab5e343
SHA256: 4cfae0ac06f8b0af986c007a1810761e4e94a2cb79a83345d69336f2dc7a043c
2240
NTJjOGRkMz.exe
C:\Program Files\Mozilla Firefox\defaults\pref\secure_cert.js
text
MD5: b717accbd73f63f14bab515f64ca5624
SHA256: b316d3934788f9d66494eff54ce9d4b1f2d235e7985dbdf1c0fc2ca1107c145d
2240
NTJjOGRkMz.exe
C:\Windows\System32\SSL\OTA3OTQzNTIxNm 2.cer
der
MD5: c6b6add906b173449a2b73fc78252001
SHA256: 5d5111e137d11ea45a8ef01cda3dacf491966ce699e41ae3e6a54eb30d7d28f1
2240
NTJjOGRkMz.exe
C:\Users\admin\AppData\Local\Google\Chrome\User Data\Local State
text
MD5: 5b4fa8ebe1b8be2d6e924ecc22897105
SHA256: b7f700eb7c93197dd4dedcd3a31b693284afd26cff6e5598f9c649f9148b1b00
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\ns24F0.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsjF7C5.tmp\brh.dat
binary
MD5: b297aa8bd8d1eef1d88e5af345ea721a
SHA256: e5f442befb71eb26a734317e2bcb77bc1bb36a9cdc102376101d2f196471c817
2240
NTJjOGRkMz.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\644B8874112055B5E195ECB0E8F243A4
binary
MD5: 6574f6a500e9ebb07ff076d0520488a1
SHA256: 253b6c06d14be6a2106269d86a59b2a8faac32d5b056ea8f7c87930b141c6111
2240
NTJjOGRkMz.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\644B8874112055B5E195ECB0E8F243A4
der
MD5: b83b6558af2f5b78ecd7cdc341c9190b
SHA256: 37583a2ca9b5367b4266c5aa5fed55874fd4bda8a5c3438c0ef6ed5867012267
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nsf4790.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\46B4.tmp-shm
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\46B4.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\46B3.tmp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][2].txt
text
MD5: dd8eaaff7a68aa78954683c9b5fa17a3
SHA256: cf2d6f214fc67e2ab5143575f12bc7382c6baa83794d428435e7ba3c254f7a2d
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\ProgramData\boost_interprocess\1542701696\TsLSLykDpRzZ
gmc
MD5: 62aed4f3f9277808536c0ee59896f0ff
SHA256: e3ddd8f0bc54b698be4209d249f09005243bcde81bca394d4732ac75cd2441a3
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Program Files\MDEyO\MDQ4Z
binary
MD5: 04125977580f31ff2a255d158026042f
SHA256: 4bd345402cfc233418257bd576e9806b615e96654750c9ff2aac4d5798764297
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\nspEDEC.tmp\JoNaet
––
MD5:  ––
SHA256:  ––
1324
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
1324
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1af2ae.TMP
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
1324
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NEG0RD93SI2JMK4SQISP.temp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\[email protected][1].txt
––
MD5:  ––
SHA256:  ––
3972
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
3972
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1aef62.TMP
binary
MD5: 0586db8ff5249ad980cec7bf2cbc3708
SHA256: df93e043bdfab9e6c36b353985e621a7a276756b52877aacdc5f36517009b4e2
3972
powershell.exe
C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TWZEUDH4XR642HXGGWCV.temp
––
MD5:  ––
SHA256:  ––
2156
b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe
C:\Users\admin\AppData\Local\Temp\4451.tmp
––
MD5:  ––
SHA256:  ––
2240
NTJjOGRkMz.exe
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6F34ABD5FD82FD017D1E4EE031BD21B5
binary
MD5: cceae1a4d8fa4ea0d5588b58833e074a
SHA256: ac823118d9c6f211b4fe9ca217d9e5f5c78c300be37b89dca1b6b9f2728c4591

Find more information of the staic content and download it at the full report

Network activity

HTTP(S) requests
6
TCP/UDP connections
25
DNS requests
4
Threats
2

HTTP requests

PID Process Method HTTP Code IP URL CN Type Size Reputation
2240 NTJjOGRkMz.exe GET 200 217.182.14.231:80 http://technologietazo.com/addon/mapping?v=n13.14.1.312&os_mj=6&os_mn=1&os_bitness=32&mid=bd232adea4e970199b37e073c5dfb03e&uid=4E6866CC50C0449534CA9B289FFFC4CB&aid=3673&aid2=none&ts=1552558433&ts2= FR
binary
malicious
2240 NTJjOGRkMz.exe GET 200 2.16.186.11:80 http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D unknown
der
whitelisted
2156 b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe POST 200 217.182.14.231:80 http://technologietazo.com/installer/downloadsLog?unique_id=4E6866CC50C0449534CA9B289FFFC4CB&affiliate_id=3673 FR
––
––
malicious
2156 b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe POST 200 217.182.14.231:80 http://technologietazo.com/installer/urlsLog?unique_id=4E6866CC50C0449534CA9B289FFFC4CB&affiliate_id=3673&br=iexplore FR
text
––
––
malicious
2240 NTJjOGRkMz.exe GET 200 192.35.177.64:80 http://crl.identrust.com/DSTROOTCAX3CRL.crl US
der
whitelisted
2240 NTJjOGRkMz.exe GET 200 2.16.186.27:80 http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgPcX%2FjNtaug6Iw%2FukjUag3aZA%3D%3D unknown
der
whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID Process IP ASN CN Reputation
2156 b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe 217.182.14.231:443 OVH SAS FR malicious
2240 NTJjOGRkMz.exe 217.182.14.231:80 OVH SAS FR malicious
2240 NTJjOGRkMz.exe 217.182.14.231:443 OVH SAS FR malicious
2240 NTJjOGRkMz.exe 2.16.186.11:80 Akamai International B.V. –– whitelisted
2156 b564c3fba8f32d45ed5161ad6080bd3ad2665e4cded2f45e78e33df2943436b5.exe 217.182.14.231:80 OVH SAS FR malicious
2240 NTJjOGRkMz.exe 192.35.177.64:80 IdenTrust US malicious
2240 NTJjOGRkMz.exe 2.16.186.27:80 Akamai International B.V. –– whitelisted

DNS requests

Domain IP Reputation
technologietazo.com 217.182.14.231
217.182.14.103
malicious
isrg.trustid.ocsp.identrust.com 2.16.186.11
2.16.186.35
whitelisted
crl.identrust.com 192.35.177.64
whitelisted
ocsp.int-x3.letsencrypt.org 2.16.186.27
2.16.186.11
whitelisted

Threats

PID Process Class Message
2240 NTJjOGRkMz.exe Misc activity ADWARE [PTsecurity] PUP.Optional.Wajam Payload m3

1 ETPRO signatures available at the full report

Debug output strings

No debug info.