Malware Analysis Report

2024-11-15 08:09

Sample ID 221019-dlp2nafagp
Target mykings.exe
SHA256 220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf
Tags
imminent spyware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf

Threat Level: Known bad

The file mykings.exe was found to be: Known bad.

Malicious Activity Summary

imminent spyware trojan

Imminent RAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Drops file in Windows directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-19 03:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-19 03:06

Reported

2022-10-19 03:08

Platform

win7-20220812-en

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mykings.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 832 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe C:\Users\Admin\AppData\Roaming\svcchost.exe
PID 832 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe C:\Users\Admin\AppData\Roaming\svcchost.exe
PID 832 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe C:\Users\Admin\AppData\Roaming\svcchost.exe
PID 832 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe C:\Users\Admin\AppData\Roaming\svcchost.exe
PID 1180 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2020 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 584 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 968 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 2028 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 520 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 520 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 520 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 520 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 784 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1180 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\mykings.exe

"C:\Users\Admin\AppData\Local\Temp\mykings.exe"

C:\Users\Admin\AppData\Roaming\svcchost.exe

"C:\Users\Admin\AppData\Roaming\svcchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1972439084.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1398340774.xml"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\182360008.xml"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x564

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1368918789.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1717165496.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\688456484.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1268587474.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1429562427.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1007281206.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\816884268.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\977859221.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1829294908.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\588916159.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2091392166.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1826120149.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\258767492.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\255642308.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1254929335.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1835060325.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1157723204.xml"

C:\Users\Admin\AppData\Local\Temp\mykings.exe

"C:\Users\Admin\AppData\Local\Temp\mykings.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\854929591.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1086813874.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\245376616.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\293954894.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\642201601.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\983357375.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1436909824.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\693687375.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\615687112.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\469902703.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\160018157.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1039817576.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\11108564.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\172083517.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\101174187.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1407220576.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2092657308.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\293420368.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\641667075.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\802642028.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1150888735.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\122179723.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1240954358.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\399517100.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1099135698.xml"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rednovoh1.ddns.net udp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp
US 8.8.8.8:53 rednovoh1.ddns.net udp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp

Files

memory/832-54-0x0000000075091000-0x0000000075093000-memory.dmp

memory/832-55-0x0000000074110000-0x00000000746BB000-memory.dmp

\Users\Admin\AppData\Roaming\svcchost.exe

MD5 7b1536fea767c01956cefca4b3e2da23
SHA1 3e76a59e3b9e70410948ff6bd9d7f3374d295d26
SHA256 220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf
SHA512 50ce4356a842a57705142b233528ff5fae6b716e8861cede95dab3dccb3db10e1e53f21d5bd9fec6225e798773b6f88c5258fae356997486a4fba4b929f586ec

memory/1180-58-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\svcchost.exe

MD5 7b1536fea767c01956cefca4b3e2da23
SHA1 3e76a59e3b9e70410948ff6bd9d7f3374d295d26
SHA256 220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf
SHA512 50ce4356a842a57705142b233528ff5fae6b716e8861cede95dab3dccb3db10e1e53f21d5bd9fec6225e798773b6f88c5258fae356997486a4fba4b929f586ec

\Users\Admin\AppData\Roaming\svcchost.exe

MD5 7b1536fea767c01956cefca4b3e2da23
SHA1 3e76a59e3b9e70410948ff6bd9d7f3374d295d26
SHA256 220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf
SHA512 50ce4356a842a57705142b233528ff5fae6b716e8861cede95dab3dccb3db10e1e53f21d5bd9fec6225e798773b6f88c5258fae356997486a4fba4b929f586ec

C:\Users\Admin\AppData\Roaming\svcchost.exe

MD5 7b1536fea767c01956cefca4b3e2da23
SHA1 3e76a59e3b9e70410948ff6bd9d7f3374d295d26
SHA256 220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf
SHA512 50ce4356a842a57705142b233528ff5fae6b716e8861cede95dab3dccb3db10e1e53f21d5bd9fec6225e798773b6f88c5258fae356997486a4fba4b929f586ec

memory/832-62-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1180-63-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/2020-64-0x0000000000000000-mapping.dmp

memory/1468-65-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1972439084.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1432-67-0x0000000000000000-mapping.dmp

memory/1480-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1398340774.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1928-70-0x000007FEFB751000-0x000007FEFB753000-memory.dmp

memory/1140-71-0x0000000000000000-mapping.dmp

memory/584-72-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\182360008.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1604-74-0x0000000000000000-mapping.dmp

memory/968-75-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1368918789.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/2028-77-0x0000000000000000-mapping.dmp

memory/520-78-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1717165496.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1144-80-0x0000000000000000-mapping.dmp

memory/784-81-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\688456484.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1180-83-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1920-84-0x0000000000000000-mapping.dmp

memory/1616-85-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1268587474.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1496-87-0x0000000000000000-mapping.dmp

memory/1604-88-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1429562427.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/540-90-0x0000000000000000-mapping.dmp

memory/2020-91-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1007281206.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/240-93-0x0000000000000000-mapping.dmp

memory/328-94-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\816884268.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1992-96-0x0000000000000000-mapping.dmp

memory/1476-97-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\977859221.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/2032-99-0x0000000000000000-mapping.dmp

memory/540-100-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1829294908.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1764-102-0x0000000000000000-mapping.dmp

memory/1404-103-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\588916159.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1432-105-0x0000000000000000-mapping.dmp

memory/1992-106-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2091392166.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/2032-108-0x0000000000000000-mapping.dmp

memory/944-109-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1826120149.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/816-111-0x0000000000000000-mapping.dmp

memory/664-112-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\258767492.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1968-114-0x0000000000000000-mapping.dmp

memory/1296-115-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\255642308.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1432-117-0x0000000000000000-mapping.dmp

memory/1832-118-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1254929335.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1968-120-0x0000000000000000-mapping.dmp

memory/612-121-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1835060325.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/392-123-0x0000000000000000-mapping.dmp

memory/2012-124-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1157723204.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1956-127-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1976-128-0x0000000000000000-mapping.dmp

memory/392-129-0x0000000000000000-mapping.dmp

memory/1044-131-0x0000000000000000-mapping.dmp

memory/2016-130-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\854929591.xml

MD5 be9406bb06d7e6aad4fb0d7e52e30761
SHA1 fc1a80de80acb93bee8a4b4f2c4ecd102f34330c
SHA256 5c8c3fbd2a40ce5406191d36e900b007c600c4d5c87c8fc69e053860a95dfcce
SHA512 9b7ec47c3511b97d46690d77b0739140ed1342e8b59ce47479f9d8e71231b3874307bbf8e4b1bf28b718bb2b21c2883498b44dde7144fe77c0c57af588986e86

C:\Users\Admin\AppData\Local\Temp\1086813874.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1472-134-0x0000000000000000-mapping.dmp

memory/1956-135-0x0000000074110000-0x00000000746BB000-memory.dmp

memory/1824-136-0x0000000000000000-mapping.dmp

memory/568-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\245376616.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1528-139-0x0000000000000000-mapping.dmp

memory/1472-140-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\293954894.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/672-142-0x0000000000000000-mapping.dmp

memory/1976-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\642201601.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/2024-145-0x0000000000000000-mapping.dmp

memory/1708-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\983357375.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1776-148-0x0000000000000000-mapping.dmp

memory/1552-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1436909824.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1940-151-0x0000000000000000-mapping.dmp

memory/1968-152-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\693687375.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1152-154-0x0000000000000000-mapping.dmp

memory/1956-155-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\615687112.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1192-157-0x0000000000000000-mapping.dmp

memory/1152-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\469902703.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

memory/1916-160-0x0000000000000000-mapping.dmp

memory/1884-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\160018157.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\1039817576.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\11108564.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\172083517.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\101174187.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\1407220576.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\2092657308.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\293420368.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\641667075.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\802642028.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\1150888735.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\122179723.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\1240954358.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\399517100.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

C:\Users\Admin\AppData\Local\Temp\1099135698.xml

MD5 00d050e2f6ad48c0d3bd7dd81cd47451
SHA1 043a0c48780cc0df1a859c4733109ef2c97e5d48
SHA256 397dd6e973a548f72fd62059b78c0d6f79d568bd4c8404cce69bc69787b45545
SHA512 2f9e9024164f80b585a4411d69bb6e678229e972f978f6bf05b7fd851fe10186e48ce13eaed938027300ba037c401a9d0b9058cd81071de4df25a3bbefbeb659

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-19 03:06

Reported

2022-10-19 03:08

Platform

win10v2004-20220812-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\mykings.exe"

Signatures

Imminent RAT

trojan spyware imminent

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mykings.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\svcchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Roaming\svcchost.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\svcchost.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\svcchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1388 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe C:\Users\Admin\AppData\Roaming\svcchost.exe
PID 1388 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe C:\Users\Admin\AppData\Roaming\svcchost.exe
PID 1388 wrote to memory of 1660 N/A C:\Users\Admin\AppData\Local\Temp\mykings.exe C:\Users\Admin\AppData\Roaming\svcchost.exe
PID 1660 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4328 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4208 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4040 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3992 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 3140 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 4744 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1660 wrote to memory of 212 N/A C:\Users\Admin\AppData\Roaming\svcchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\mykings.exe

"C:\Users\Admin\AppData\Local\Temp\mykings.exe"

C:\Users\Admin\AppData\Roaming\svcchost.exe

"C:\Users\Admin\AppData\Roaming\svcchost.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1081629778.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1538307411.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1749087008.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\582910886.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1145062374.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\330258143.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1730721705.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\25901938.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\468565818.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\492073661.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1054225149.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\494476818.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\98828624.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1850664077.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1290915746.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\124739624.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2108459360.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1361439275.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\614419190.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\218770996.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1970606449.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\453058436.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\57410242.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\687345876.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1668653401.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1273005207.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\106829085.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\317608682.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\879760170.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1022755621.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1652691255.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1676199098.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\510022976.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1842702392.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\325154379.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\116777939.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1142697993.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\582949662.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1915629078.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\749452956.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\189704625.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1522384041.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2084535529.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\147831479.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\358611076.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1691290492.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1131542161.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\735893967.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\340245773.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1927981089.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1113176858.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1675328346.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\157780333.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\719931821.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\511555381.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\722334978.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2055014394.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\118310344.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1450989760.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\284813638.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\495593235.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\287216795.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\430212246.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1830675808.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1622299368.xml"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Delete /TN "Update\Update" /F

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\994766891.xml"

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 rednovoh1.ddns.net udp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp
US 52.168.112.66:443 tcp
US 8.252.51.254:80 tcp
NL 104.80.225.205:443 tcp
US 8.8.8.8:53 rednovoh1.ddns.net udp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp
JP 58.158.177.102:104 rednovoh1.ddns.net tcp

Files

memory/1388-132-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1660-133-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\svcchost.exe

MD5 7b1536fea767c01956cefca4b3e2da23
SHA1 3e76a59e3b9e70410948ff6bd9d7f3374d295d26
SHA256 220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf
SHA512 50ce4356a842a57705142b233528ff5fae6b716e8861cede95dab3dccb3db10e1e53f21d5bd9fec6225e798773b6f88c5258fae356997486a4fba4b929f586ec

C:\Users\Admin\AppData\Roaming\svcchost.exe

MD5 7b1536fea767c01956cefca4b3e2da23
SHA1 3e76a59e3b9e70410948ff6bd9d7f3374d295d26
SHA256 220745aef5e98325145f8598d36a4684788f2be0d5f654c1345cb999c40b1ddf
SHA512 50ce4356a842a57705142b233528ff5fae6b716e8861cede95dab3dccb3db10e1e53f21d5bd9fec6225e798773b6f88c5258fae356997486a4fba4b929f586ec

memory/1388-136-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/1660-137-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/4924-138-0x0000000000000000-mapping.dmp

memory/4328-139-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1081629778.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/1888-141-0x0000000000000000-mapping.dmp

memory/4252-142-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1538307411.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4208-144-0x0000000000000000-mapping.dmp

memory/1192-145-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1749087008.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/1356-147-0x0000000000000000-mapping.dmp

memory/4040-148-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\582910886.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3604-150-0x0000000000000000-mapping.dmp

memory/5004-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1145062374.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4312-153-0x0000000000000000-mapping.dmp

memory/2764-154-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\330258143.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/1660-156-0x0000000074EC0000-0x0000000075471000-memory.dmp

memory/3960-157-0x0000000000000000-mapping.dmp

memory/3472-158-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1730721705.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3992-160-0x0000000000000000-mapping.dmp

memory/2036-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\25901938.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4236-163-0x0000000000000000-mapping.dmp

memory/1672-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\468565818.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3140-166-0x0000000000000000-mapping.dmp

memory/4744-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\492073661.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/212-169-0x0000000000000000-mapping.dmp

memory/1568-170-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1054225149.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/2736-172-0x0000000000000000-mapping.dmp

memory/3536-173-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\494476818.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/2268-175-0x0000000000000000-mapping.dmp

memory/1392-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\98828624.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3252-178-0x0000000000000000-mapping.dmp

memory/2712-179-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1850664077.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/444-181-0x0000000000000000-mapping.dmp

memory/4312-182-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1290915746.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/2320-184-0x0000000000000000-mapping.dmp

memory/4720-185-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\124739624.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4280-187-0x0000000000000000-mapping.dmp

memory/1868-188-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2108459360.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/1296-190-0x0000000000000000-mapping.dmp

memory/2032-191-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1361439275.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3660-193-0x0000000000000000-mapping.dmp

memory/2224-194-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\614419190.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4884-196-0x0000000000000000-mapping.dmp

memory/3672-197-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\218770996.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3644-199-0x0000000000000000-mapping.dmp

memory/1396-200-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1970606449.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/2480-202-0x0000000000000000-mapping.dmp

memory/2144-203-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\453058436.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/2208-205-0x0000000000000000-mapping.dmp

memory/2184-206-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\57410242.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3132-208-0x0000000000000000-mapping.dmp

memory/1692-209-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\687345876.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3180-211-0x0000000000000000-mapping.dmp

memory/4776-212-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1668653401.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/1716-214-0x0000000000000000-mapping.dmp

memory/4572-215-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1273005207.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4084-217-0x0000000000000000-mapping.dmp

memory/4564-218-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\106829085.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/3544-220-0x0000000000000000-mapping.dmp

memory/2220-221-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\317608682.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4236-223-0x0000000000000000-mapping.dmp

memory/5080-224-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\879760170.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/2672-226-0x0000000000000000-mapping.dmp

memory/3152-227-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1022755621.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/4944-229-0x0000000000000000-mapping.dmp

memory/3760-230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1652691255.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

memory/1432-232-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1676199098.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\510022976.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1842702392.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\325154379.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\116777939.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1142697993.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\582949662.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1915629078.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\749452956.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\189704625.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1522384041.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\2084535529.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\147831479.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\358611076.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1691290492.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1131542161.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\735893967.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\340245773.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1927981089.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1113176858.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1675328346.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\157780333.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\719931821.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\511555381.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\722334978.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\2055014394.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\118310344.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\1450989760.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\284813638.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\495593235.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9

C:\Users\Admin\AppData\Local\Temp\287216795.xml

MD5 ab6d9f1d506e105f61283b4723c392d4
SHA1 d699764fe35c1a1326622c750d7f606d764ad009
SHA256 99168d87cfc4f3835474403e79502b7ebdcc5184b81a3d89c3428f468d178a2d
SHA512 746cd4e20d31f81d8083f3d21db7d0036944d9005adbf9d164a686fef38e065020b5dde9055318b77699dee03e0675799c8346a1bb50ca1bd0cabd5f98a26ec9